Cuckoo | |
Addittional names | No |
Type of Malware | Infostealer and Spyware |
Country of Origin | Unknown |
Date of initial activity | April, 2024 |
Associated Groups | No threat actor has claimed responsibility for the malware campaign. |
Motivation | Sensitive information theft and surveillance |
Type of information Stolen | Login Credentials, Financial Information, Cryptocurrencies, Communication data, Browser Data |
Attack Vectors | The malware is delivered through a disk image (DMG) file downloaded from the dumpmedia[.]com website and additional websites hosting similar malicious applications tools. |
Targeted System | macOS (Intel and ARM-based Macs) |
Overview
Kandji researchers have recently stumbled upon a novel malicious Mach-O binary skillfully crafted to mimic the functionalities of spyware and an infostealer. Defenders called the new malware “Cuckoo,” drawing inspiration from the behavior of the Cuckoo bird, which lays its eggs in the nests of other birds, exploiting their resources for the benefit of its offspring.
The malware was first spotted on April 24th, 2024 in a Mach-O binary file disguised as “DumpMediaSpotifyMusicConverter” – an application that claims to convert music from Spotify to MP3 format. Analysis reveals Cuckoo is a universal binary capable of running on both Intel and ARM-based Macs.
Targets
Apple’s Mac and Macbook users.
How they operate
The malware is delivered through a disk image (DMG) file downloaded from the dumpmedia[.]com website. Once installed, it performs a series of checks to avoid detection and determine if the infected system is a viable target.
The researchers found that Cuckoo queries the system’s universally unique identifier (UUID) and checks the device’s locale settings. It specifically looks for systems located in Armenia, Belarus, Kazakhstan, Russia, and Ukraine, avoiding infection on machines from those regions.
Cuckoo initiates its data exfiltration and surveillance routines if deemed a viable target. It is programmed to steal a wide array of sensitive information, including:
- Keychain data containing passwords and cryptographic keys
- Screen captures and webcam snapshots
- Browsing history and cookies
- Messaging app data like WhatsApp and Telegram logs
- Cryptocurrency wallet details
- SSH keys and other authentication credentials
- The stolen data is then exfiltrated to a command-and-control server controlled by the malware operators.
To maintain a persistent presence, Cuckoo installs a launch agent that persists across reboots. It also employs various evasion tactics, such as encrypting network traffic and only running malicious components if certain conditions are met.
