Analysis Summary

A novel information stealer that targets Apple macOS has been found by cybersecurity researchers. It is intended to become persistent on compromised hosts and function as malware. The malware, known as Cuckoo, is a universal Mach-O program that can operate on Macs with Intel or Arm processors.

Although there are hints that the file is hosted on websites purporting to provide both free and paid versions of programs designed to extract music from streaming services and convert it to the MP3 format, the precise distribution vector is yet unknown. A bash shell is launched by the disk image file that was downloaded from the websites to obtain host information and confirm that the compromised system is not in Armenia, Belarus, Kazakhstan, Russia, or Ukraine. Only when the locale check is successful is the malicious binary run.

Additionally, it achieves persistence through a LaunchAgent—a tactic previously employed by other malware families, including ZuRu-overlapping macOS backdoors, XLoader, RustBucket, and JaskaGO. Similar to the MacStealer macOS stealer malware, Cuckoo uses osascript to display a phony password prompt and fool users into entering their credentials to escalate their privileges.

This malware searches for specific files linked to particular applications to obtain as much data as it can from the system. It can execute several commands to gather data from iCloud Keychain, Apple Notes, web browsers, cryptocurrency wallets, and applications like Discord, FileZilla, Steam, and Telegram. It can also gather hardware information, take screenshots, record processes that are presently running, and search for installed programs.

“Each malicious application contains another application bundle within the resource directory,” said the researchers.

The revelation follows the discovery of another stealer software, called CloudChat, by the Apple device management firm over a month ago. This malware can trick macOS users whose IP addresses do not geolocate to China by posing as a private messaging program. The malware obtains information linked to Google Chrome wallet extensions and crypto private keys that have been copied to the clipboard.

Impact

• Cyber Espionage
• Credential Theft
• Privilege Escalation
• Sensitive Information Theft

Indicators of Compromise

SHA1

• a700b0759351fd912cf8155579ea21f21437f075
• c5c8335ed343d14d2150a9ba90e182ca739bde8a
• 1ef1f94d39931b6e625167b021a718f3cfe6bb80
• 2cdda89c50c2aa1eb4b828350b7086748c58fe08
• e9180ee202c42e2b94689c7e3fb2532dd5179fad

URL

• http://146.70.80.123/static.php
• http://146.70.80.123/index.php

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Be vigilant when downloading software and double-check the URL to see if it is legitimate.
• Never download software from untrusted sources.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Develop and regularly update an incident response plan that outlines the steps to take in case of a security breach. Test the plan through simulations to ensure its effectiveness.