Cybersecurity researchers have found a new information stealer targeting Apple macOS systems that's aimed to establish up persistence on the infected hosts and serve as a spyware.
Dubbed Cuckoo by Kandji, the virus is a universal Mach-O binary that's capable of executing on both Intel- and Arm-based Macs.
The exact distribution vector is currently unclear, although there are indications that the binary is hosted on sites like dumpmedia[.]com, tunesolo[.]com, fonedog[.]com, tunesfun[.]com, and tunefab[.]com that claim to offer free and paid versions of applications dedicated to ripping music from streaming services and converting it into the MP3 format.
The disk image file downloaded from the websites is responsible for starting a bash shell to acquire host information and ensuring that the compromised system is not situated in Armenia, Belarus, Kazakhstan, Russia, Ukraine. The malicious program is run only if the locale check is successful.
It also establishes persistence by way of a LaunchAgent, a strategy previously utilized by several malware families as RustBucket, XLoader, JaskaGO, and a macOS backdoor that shares overlaps with ZuRu.
Cuckoo, like the MacStealer macOS stealer malware, also employs osascript to create a phony password prompt to deceive users into entering their system passwords for privilege escalation.
"This malware queries for specific files associated with specific applications, in an attempt to gather as much information as possible from the system," researchers Adam Kohler and Christopher Lopez explained.
It's prepared to launch a series of instructions to extract hardware information, capture currently running processes, inquire for installed programs, take screenshots, and collect data from iCloud Keychain, Apple Notes, web browsers, crypto wallets, and apps like Discord, FileZilla, Steam, and Telegram.
"Each malicious application contains another application bundle within the resource directory," the researchers added. "All of those bundles (except those hosted on fonedog[.]com) are signed and have a valid Developer ID of Yian Technology Shenzhen Co., Ltd (VRBJ4VRP)."
"The website fonedog[.]com hosted an Android recovery tool among other things; the additional application bundle in this one has a developer ID of FoneDog Technology Limited (CUAU2GTG98)."
The disclosure comes about a month after the Apple device management business also discovered another stealer virus called CloudChat that masquerades as a privacy-oriented messaging program and is capable of compromising macOS users whose IP addresses do not geolocate to China.
The malware acts by capturing crypto private keys copied to the clipboard and data connected with wallet extensions installed on Google Chrome.
It also follows the discovery of a new variant of the famed AdLoad malware written in Go dubbed Rload (aka Lador) that's built to circumvent the Apple XProtect malware signature list and is produced specifically for Intel x86_64 architecture.
"The binaries function as initial droppers for the next stage payload," SentinelOne security researcher Phil Stokes stated in a study last week, adding the specific distribution techniques remain presently murky.
That having stated, these droppers have been detected frequently inserted in cracked or trojanized programs provided by rogue websites.
AdLoad, a widespread adware campaign afflicting macOS since at least 2017, is known for hijacking search engine results and injecting advertisements into web pages for monetary gain by means of an adversary-in-the-middle web proxy to redirect user's web traffic through the attacker's own infrastructure.
