Published in News

Yet another exploited security flaw in macOS systems

by on06 May 2024

Cuckoo in the nest

Cybersecurity boffins have unearthed a new information thief that preys on Apple macOS systems. This thief can dig its claws into infected hosts and act as a snoop.

Christened Cuckoo by Kandji, the malware is a universal Mach-O binary capable of running on both Intel- and Arm-based Macs, showing no mercy to any of Jobs' Mob's machines.

The exact distribution vector is as clear as mud, although there are hints that the binary is hosted on sites like dumpmedia[.]com, tunesolo[.]com, fonedog[.]com, tunesfun[.]com, and tunefab[.]com. These sites claim to offer free and paid versions of applications dedicated to ripping music from streaming services and converting it into MP3 format.

The disk image file downloaded from the websites is responsible for spawning a bash shell to gather host information and ensure the compromised machine is not located in Armenia, Belarus, Kazakhstan, Russia, or Ukraine.  We assume that the inventors of the hack believed that Apple users living in those countries had already suffered enough. The malicious binary only springs into action if the locale check is successful.

It also establishes persistence using a LaunchAgent, a technique adopted by different malware families, such as RustBucket, XLoader, JaskaGO, and a macOS backdoor that shares overlaps with ZuRu.

Like the MacStealer macOS stealer malware, Cuckoo also uses osascript to display a fake password prompt to trick users into entering their system passwords for privilege escalation.

Researchers Adam Kohler and Christopher Lopez said: "This malware queries for specific files associated with specific applications in an attempt to gather as much information as possible from the system."

It's equipped to run a series of commands to extract hardware information, capture currently running processes, query for installed apps, take screenshots, and harvest data from iCloud Keychain, Apple Notes, web browsers, crypto wallets, and apps like Discord, FileZilla, Steam, and Telegram.

"Each malicious application contains another application bundle within the resource directory," the researchers said. "All of those bundles (except those hosted on fonedog[.]com) are signed and have a valid Developer ID of Yian Technology Shenzhen Co., Ltd (VRBJ4VRP)."

"The website fonedog[.]com hosted an Android recovery tool, among other things; the additional application bundle has a developer ID of FoneDog Technology Limited (CUAU2GTG98)."

The disclosure comes nearly a month after the Apple device management company also exposed another stealer malware codenamed CloudChat. This malware masquerades as a privacy-oriented messaging app and is capable of compromising macOS users whose IP addresses do not geolocate to China.

The malware works by grabbing crypto private keys copied to the clipboard and data associated with wallet extensions installed on Google Chrome.

It follows the discovery of a new variant of the notorious AdLoad malware written in Go called Rload (aka Lador). This variant is engineered to evade the Apple XProtect malware signature list and is compiled solely for Intel x86_64 architecture.

"The binaries function as initial droppers for the next stage payload," SentinelOne security researcher Phil Stokes said in a report last week, adding that the specific distribution methods remain obscure.

These droppers have been observed typically embedded in cracked or trojanised apps distributed by malicious websites.

AdLoad, a widespread adware campaign afflicting macOS since at least 2017, is known for hijacking search engine results and injecting advertisements into web pages for monetary gain, employing an adversary-in-the-middle web proxy to redirect users' web traffic through the attacker's infrastructure.

Last modified on 06 May 2024
Rate this item
(1 Vote)

Read more about: