Cybersecurity researchers at Intego have discovered new variants of the dreaded Cuckoo malware that targets macOS users.
For those unfamiliar with the name, Cuckoo is an information stealer targeting Mac devices running on Intel and ARM silicon.
Intego researchers now say they have found a new variant purporting to be Homebrew, a popular macOS software package manager. The attackers created a fake landing page, seemingly identical to the authentic Homebrew page, that the data thief deployed.
Google Ads Poisoning
In early May 2024, Mac security vendor Kandji said that the malware “requests specific files associated with specific applications, in an attempt to collect as much system information as possible.” Apparently, Cuckoo was looking for hardware information, currently running processes. and installed applications.
Among its key features is the ability to take screenshots, collect data from iCloud Keychains, Apple Notes, web browsers, different applications (Discord, Telegram, Steam and more), and obtain data from cryptocurrency wallets.
The threat was distributed through fake software, a program that claimed to be able to extract music from streaming services into .MP3 files.
While setting up a fake website is easy, getting people to visit it is infinitely more difficult. Intego believes that to get people to the website, the attackers poisoned Google Ads, gained access to Google Ads accounts with clean, running campaigns, and modified them (or ran new campaigns) to generate traffic.
“We recommend that consumers abandon the habit of 'just searching Google' to find legitimate sites,” the researchers said. “These habits often include clicking on the first link without much thought, under the assumption that Google won't misdirect them and give them the correct result right at the top. Malware authors know this, of course, and that's why they pay Google for the number one position.”
Instead of searching Google for popular websites, users are encouraged to type in the address themselves or bookmark the sites.
