Hackers have been observed attacking Mac devices running on Intel and ARM silicon with new information-stealing malware.
Mac security vendor Kandji discovered the malware and named it Cuckoo. “This malware searches for specific files associated with specific applications, in an attempt to collect as much system information as possible,” the researchers said in their report.
Among the information it extracts are hardware information, currently running processes, and installed applications. Furthermore, Cuckoo is capable of taking screenshots, collecting data from iCloud keychains, Apple Notes, web browsers, different applications (Discord, Telegram, Steam and more) and cryptocurrency wallets.
Russia or China?
To distribute the malware, threat actors created a series of malicious sites, where the code is advertised as a program to rip music from streaming services and convert it to .MP3. It is also announced that it has a free version and a paid version.
While the researchers did not explicitly attribute the campaign to any particular threat actor, they did note that the infostealer does not run if the infected device is located in Armenia, Belarus, Kazakhstan, Russia, and Ukraine, possibly hinting at an affiliation with Russia. However, they also noted that Cuckoo establishes persistence through LaunchAgent, which was already seen in RustBucket, XLoader, JaskaGO, and a backdoor similar to ZuRu, a Chinese threat actor.
Lending more credence to China's theory is the fact that the malware was signed with a legitimate Chinese developer ID:
“Each malicious application contains another application package within the resource directory,” the researchers said. “All those packages (except those hosted on fonedog[.]com) are signed and have a valid developer ID of Yian Technology Shenzhen Co., Ltd (VRBJ4VRP)”.
“The fonedog website[.]com hosted an Android recovery tool, among other things; the additional app package in this has a developer ID of FoneDog Technology Limited (CUAU2GTG98).”
Through Hacker News
