New 'Cuckoo' Persistent macOS Spyware Targeting Intel and Arm Macs
-
Cybersecurity researchers have identified a new information-stealing malware targeting Apple macOS systems, named Cuckoo by Kandji. This universal Mach-O binary can run on both Intel- and Arm-based Macs. While the exact distribution method is unclear, indications suggest that the malware is hosted on websites claiming to offer free and paid versions of applications for ripping music from streaming services.
Once downloaded, the malware establishes persistence by executing a bash shell to gather host information and ensure the compromised machine is not located in specific countries. It then deploys a LaunchAgent for persistence, a technique previously used by various malware families.
Cuckoo utilizes osascript to display fake password prompts to trick users into entering their system passwords for privilege escalation. It collects information by querying for specific files associated with various applications, extracting hardware information, capturing running processes, and harvesting data from iCloud Keychain, Apple Notes, web browsers, and various applications including Discord, FileZilla, Steam, and Telegram.
Interestingly, each malicious application bundle is signed with a valid Developer ID, adding a layer of authenticity. The malware also targets crypto wallets by grabbing private keys copied to the clipboard and data associated with wallet extensions installed on Google Chrome.
Additionally, researchers have discovered a new variant of the AdLoad malware, called Rload or Lador, designed to evade Apple XProtect malware signatures. These droppers are typically embedded in cracked or trojanized apps distributed by malicious websites. AdLoad, a long-standing adware campaign on macOS, redirects user web traffic through the attacker's infrastructure to inject advertisements into web pages for monetary gain.
ที่มาแหล่งข่าว
https://thehackernews.com/2024/05/new-cuckoo-persistent-macos-spyware.html
