The internet is flooded with spyware disguised as genuine, useful software. Kandji, an Apple device management and security platform, has recently uncovered a new spyware and infostealer designed to attack both Intel and ARM Macs.
Dubbed “Cuckoo,” the spyware is named after the bird as it infiltrates the host system and siphons its resources.
What Mask Does Cuckoo Spyware Wear?
Cuckoo masquerades as a Mach-o binary, which is an executable format tailored for Apple systems. Researchers at Kandji first encountered this threat through a file named DumpMediaSpotifyMusicConverter, also referred to as “upd,” that was submitted to Virus Total for analysis.
This spyware operates by tracking and recording data from various sources, including iCloud Keychain, Apple Notes, web browsers, and cryptocurrency wallets.
It doesn’t discriminate among applications, targeting popular platforms such as Discord, FileZilla, Steam, and Telegram. According to Kandji’s findings, the spyware employs tactics like muting system sound to discreetly capture screenshots.
Additionally, Cuckoo is programmed to open the app to create an illusion of normal activity, masking its malicious actions.
Further investigation led researchers to discover that the spyware was hosted on a website offering tools to convert music from streaming services into MP3 format.
These suspicious websites provide both free and paid versions of applications for extracting music from streaming platforms, as well as tools for iOS and Android data recovery. Some of the identified sites include:
- dumpmedia[.]com
- Tunesolo[.]com
- Fonedog[.]com
- Tunesfun[.]com
- Tunefab[.]com
All the application bundles found on these websites share a common Developer ID registered to Yian Technology Shenzhen Co., Ltd (VRBJ4VRP). However, app bundles discovered on Fonedog have a distinct Developer ID, belonging to FoneDog Technology Limited (CUAU2GTG98).
Upon downloading an application advertised as capable of converting Spotify songs to MP3 format, researchers inspected the disk image file and were taken aback to discover the presence of the same “upd” file alongside the legitimate application.
The malicious binary remained inactive as Gatekeeper intervened and blocked its execution. Subsequently, when manual permission was granted, the application initiated a check for the system’s locale to ascertain the user’s country.
Interestingly, Cuckoo is programmed not to execute if the system’s locale corresponds to any of the following countries:
- Armenia
- Belarus
- Kazakhstan
- Russia
- Ukraine
Cuckoo’s Data Harvesting Ambitions
Cuckoo’s Extensive Data Collection Efforts.
Cuckoo is programmed to collect vast amounts of data and relay it to a Command and Control server.
It can extract precise hardware details, identify installed applications, and monitor active processes.
With the prevalence of tools for converting media from streaming platforms to MP3 or similar formats, attackers saw an opportunity to exploit this trend.
To safeguard your Mac from spyware such as Cuckoo, refrain from downloading apps from dubious sources.
0 Comments