Key Takeaways:
- Cuckoo, named by Kandji researchers, is a new form of Mac malware targeting both new and old variants, and behaves like an infostealer and spyware.
- After downloading a dubious music conversion application, the malware initiates its malicious activity, tricking users into granting it system privileges, and then persists even after system reboot.
- To prevent falling victim to Cuckoo, avoid visiting piracy sites and consider using reputable antivirus software, which offers more frequent updates and additional features, beside Apple’s XProtect.
Grappling with the New Cuckoo Malware
Mac users need to amp up their cybersecurity as there’s a new threat in town – Cuckoo. This new malware, reported by The Hacker News, and named by Kandji security researchers, targets both new Macs running Apple Silicon and older Macs that use Intel. The distinctive feature setting Cuckoo apart is its dual behavior that mimics that of infostealer malware and spyware.
Cuckoo’s Modus Operandi
Kandji researchers Adam Kohler and Christopher Lopez first discovered Cuckoo when they stumbled on a Mach-O binary that had gone undetected on the malware-tracking site, VirusTotal. It was aptly named “DumpMedia Spotify Music Converter,” which raised suspicions.
Further exploration revealed a site called dumpmedia[.]com, which hosts an array of apps that help users illicitly convert music from streaming services to MP3 files. Currently, Cuckoo’s primary distribution channel is music piracy sites, but there’s a risk that it can switch to propagate through other fake apps.
The entry point for the malware is the DumpMedia Spotify Music Converter app. Unlike conventional macOS apps, this one invites users to initiate it by right-clicking and selecting open.
Establishing Persistence and Escalating Privileges
Cuckoo’s malicious activity starts once it’s downloaded. It first asks users to input their password through a false prompt, leveraging a ploy used by the MacStealer malware. On acquiring the system password, Cuckoo boosts its privileges on the infected machine. It then begins to analyze installed apps, take screenshots, and gathers data from sources like iCloud Keychain, Apple Notes, web browsers, crypto wallets, and apps such as Discord, FileZilla, Steam, and Telegram.
Cuckoo adopts the LaunchAgent technique to persist on the Mac, ensuring its activity restarts after a reboot. It also checks the Mac’s location and refrains from stealing sensitive data if the device is in Armenia, Belarus, Kazakhstan, Russia, or Ukraine.
Safeguarding Your Mac from Cuckoo
Cuckoo disseminates mainly through piracy websites, which are notorious for their malware risks. These illegal activities also harm creators. Therefore, it is advisable to keep off such websites.
Does this mean your Mac is vulnerable? Not necessarily. Macs come with a built-in antivirus software – Apple’s XProtect. It offers decent protection, but you may want to supplement it with other robust Mac antivirus programs.
Paid antivirus programs offer frequent updates, more features, and often provide additional services such as access to a Virtual Private Network (VPN) or password manager, providing robust protection against emerging threats like Cuckoo.
In conclusion, it’s crucial to stay vigilant and practice safe browsing habits. One way to keep Cuckoo at bay is to avoid websites offering unlawful music download services.