A dangerous new malware is targeting Macs of all kinds — here's how to stay safe
A dangerous new malware is targeting Macs of all kinds — here’s how to stay safe
Hackers have been observed targeting Mac devices running on both Intel and ARM silicon with brand new infostealer malware.
Mac security provider Kandji discovered the malware and dubbed it Cuckoo. “This malware queries for specific files associated with specific applications, in an attempt to gather as much information as possible from the system,” the researchers said in their report.
Among the information it pulls is hardware information, currently running processes, and installed applications. Furthermore, Cuckoo is capable of taking screenshots, harvesting data from iCloud Keychains, Apple notes, web browsers, different apps (Discord, Telegram, Steam, and more), and cryptocurrency wallets.
Russia, or China?
To distribute the malware, the threat actors set up a number of malicious sites, where the code is advertised as a program for ripping music from streaming services and converting it into .MP3. It is also being advertised as having both a free and a paid version.
While the researchers did not explicitly attribute the campaign to any particular threat actor, they did note that the infostealer fails to run if the infected device is located in Armenia, Belarus, Kazakhstan, Russia, and Ukraine, possibly hinting an affiliation with Russia. However, they also noted that Cuckoo establishes persistence via LaunchAgent, which was already seen in RustBucket, XLoader, JaskaGO, and a backdoor similar to ZuRu – a Chinese threat actor.
Further adding credence to the China theory is the fact that the malware was signed with a legitimate Chinese developer ID:
“Each malicious application contains another application bundle within the resource directory,” the researchers said. “All of those bundles (except those hosted on fonedog[.]com) are signed and have a valid Developer ID of Yian Technology Shenzhen Co., Ltd (VRBJ4VRP).”
“The website fonedog[.]com hosted an Android recovery tool among other things; the additional application bundle in this one has a developer ID of FoneDog Technology Limited (CUAU2GTG98).”
Via The Hacker News