Malware Cuckoo – An Infosteler Spyware Steals Data From MacOS

Security researchers have uncovered a previously undetected malware threat for macOS that exhibits characteristics of both an infostealer and spyware. Dubbed “Cuckoo” after the brood parasitic bird, this malicious code infiltrates systems and steals resources for its own gain.

The malware was first spotted on April 24th, 2024 in a Mach-O binary file disguised as “DumpMediaSpotifyMusicConverter” – an application that claims to convert music from Spotify to MP3 format. Analysis reveals Cuckoo is a universal binary capable of running on both Intel and ARM-based Macs.

The malware is delivered through a disk image (DMG) file downloaded from the dumpmedia[.]com website. Once installed, it performs a series of checks to avoid detection and determine if the infected system is a viable target.

Kandji’s researchers found that Cuckoo queries the system’s universally unique identifier (UUID) and checks the device’s locale settings. It specifically looks for systems located in Armenia, Belarus, Kazakhstan, Russia, and Ukraine – avoiding infection on machines from those regions.

Cuckoo initiates its data exfiltration and surveillance routines if deemed a viable target. It is programmed to steal a wide array of sensitive information including:

The stolen data is then exfiltrated to a command-and-control server controlled by the malware operators.

To maintain a persistent presence, Cuckoo installs a launch agent that persists across reboots. It also employs various evasion tactics like encrypting network traffic and only running malicious components if certain conditions are met.

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

If you want to test all these features now with completely free access to the sandbox:

Kandji and other security firms have updated their detections to identify and block Cuckoo. However, preventing such threats requires a layered defense approach:

If infected, organizations should initiate incident response procedures – isolating impacted systems, changing exposed credentials, and working to remove Cuckoo and any other malware discovered.

The discovery highlights the increasing sophistication of macOS threats and need for robust security controls, even on desktop platforms. Kandji’s analysis provides a detailed look at how Cuckoo operates to help the cybersecurity community defend against this invasive malware cuckoo.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free