Cybersecurity experts have identified a new information stealer targeting Apple macOS computers that is intended to establish persistence on compromised hosts and function as spyware.
Kandji's malware, dubbed Cuckoo, is a universal Mach-O binary that can execute on both Intel and Arm Macs.
The exact distribution vector is currently unknown, but there are indications that the binary is hosted on sites such as dumpmedia[.]com, tunesolo[.]com, fonedog[.]com, tunesfun[.]com, and tunefab[.]com, which claim to provide free and paid versions of applications for ripping music from streaming services and converting it to MP3 format.
The disk image file downloaded from the websites is responsible for spawning a bash shell to collect host data and ensuring that infected machines are not located in Armenia, Belarus, Kazakhstan, Russia, Ukraine.
The malicious binary is executed only if the locale check is successful.
It also achieves persistence through the use of a LaunchAgent, a strategy previously employed by other malware families such as RustBucket, XLoader, JaskaGO, and a macOS backdoor that bears similarities with ZuRu.
Cuckoo, like the MacStealer macOS stealer malware, uses osascript to create a fake password prompt, luring users into entering their system passwords for privilege escalation.
"This malware queries for specific files associated with specific applications, in an attempt to gather as much information as possible from the system," researchers Adam Kohler and Christopher Lopez stated.
It can execute a sequence of commands to gather hardware data, capture currently running processes, search for installed apps, take screenshots, and collect data from iCloud Keychain, Apple Notes, web browsers, cryptocurrency wallets, and apps such as Discord, FileZilla, Steam, and Telegram.
"Each malicious application contains another application bundle within the resource directory," the researchers added. "All of those bundles (except those hosted on fonedog[.]com) are signed and have a valid Developer ID of Yian Technology Shenzhen Co., Ltd (VRBJ4VRP).”
The news comes nearly a month after Apple's device management company revealed another stealer spyware called CloudChat, which masquerades as a privacy-oriented messaging programme and can compromise macOS users whose IP addresses do not geolocate to China. The spyware harvests cryptocurrency private keys transferred to the clipboard as well as data linked with wallet extensions installed in Google Chrome.
