Cuckoo Mac Malware Mimics Music Converter to Steals Passwords and Crypto

Cuckoo malware targets macOS users, stealing passwords, browsing history, crypto wallet details & more. Disguised as a music converter, it poses a major security risk. Learn how to protect yourself from this sophisticated infostealer.
Cuckoo Mac Malware Mimics Music Converter to Steals Passwords and Crypto

Cybersecurity researchers from Mac security provider, Kandji, have discovered a new malware dubbed “Cuckoo” targeting macOS users. The malware is disguised as a music converter app like Spotify and can run on both Intel and ARM-based Apple Mac computers.

Researchers discovered a malicious Mach-O binary on April 24, 2024, exhibiting spyware and infostealer behaviour. Its examination revealed a file titled “DumpMedia Spotify Music Converter,” a universal binary on Intel or ARM-based Mac computers.

Cuckoo Mac Malware Mimics Music Converter to Steals Passwords and Crypto

The malware was detected when the Spotify version was downloaded from dumpmediacom. Then it was found on other websites with both free and paid versions.

“So far, we have found that the websites tunesolocom, fonedogcom, tunesfuncom, tunefabcom are hosting malicious applications containing the same malware,” Kandji researchers revealed in their blog post.

Cuckoo’s Deceptive Tactics

Cuckoo deceives users by claiming to convert Spotify music to MP3 format. Once installed, it begins the data heist, targeting the macOS keychain, visual evidence, browsing history, messaging app data, cryptocurrency wallet details, and authentication credentials. 

It self-installs by requesting users to open an app, without a vetted signature or developer ID, a critical moment where one might wish for a control alt delete on Mac feature to end potential threats immediately. It checks the user’s location and gathers host hardware information. If the user accepts further prompts, it gains access to the Finder, microphone, and downloads.

What it Targets?

Cuckoo targets macOS’s keychain, a repository for passwords, login credentials, and cryptographic keys, compromising online accounts and sensitive data access. 

It steals screenshots, and webcam snapshots, and targets messaging apps like WhatsApp and Telegram, revealing users’ online activities and posing a significant financial threat to digital asset owners. 

Researchers found Cuckoo copies files related to Safari, Notes, and Keychain to temporary locations and create paths to files of interest. It runs a launch agent every 60 seconds to maintain persistence on the machine.

Who’s Behind Cuckoo?

The campaign is not explicitly attributed to any particular threat actor, but researchers noted that it spares devices in Armenia, Belarus, Kazakhstan, Russia, and Ukraine. 

Moreover, it establishes persistence via LaunchAgent, a feature found in RustBucket, XLoader, JaskaGO, and a backdoor associated with Chinese threat actor ZuRu. The malware was signed with a legitimate Chinese developer ID (Yian Technology Shenzhen Co., Ltd (VRBJ4VRP), with all bundles (except those hosted on fonedogcom) signed.

To protect yourself from Cuckoo and other malware threats, download software cautiously, avoid untrusted sources, scrutinize emails and attachments, and use reliable antivirus and anti-malware solutions. Staying vigilant and maintaining scepticism is crucial for digital privacy and security.

  1. Hackers Targeting Apple’s M1 Chip with Mac Malware
  2. Simple tips to keep your Macbook secure from online threats
  3. Researchers bought MacBook for $1 using critical vulnerabilities
  4. UpdateAgent malware variant mimics legitimate macOS software
  5. EvilQuest ransomware hits Mac devices through pirated software
Total
0
Shares
Related Posts