A dangerous new malware is targeting Macs of all kinds — here's how to stay safe
Be wary of .MP3 ripping software on Mac
Hackers have been observed targeting Mac devices running on both Intel and ARM silicon with brand new infostealer malware.
Mac security provider Kandji discovered the malware and dubbed it Cuckoo. "This malware queries for specific files associated with specific applications, in an attempt to gather as much information as possible from the system," the researchers said in their report.
Among the information it pulls is hardware information, currently running processes, and installed applications. Furthermore, Cuckoo is capable of taking screenshots, harvesting data from iCloud Keychains, Apple notes, web browsers, different apps (Discord, Telegram, Steam, and more), and cryptocurrency wallets.
Russia, or China?
To distribute the malware, the threat actors set up a number of malicious sites, where the code is advertised as a program for ripping music from streaming services and converting it into .MP3. It is also being advertised as having both a free and a paid version.
While the researchers did not explicitly attribute the campaign to any particular threat actor, they did note that the infostealer fails to run if the infected device is located in Armenia, Belarus, Kazakhstan, Russia, and Ukraine, possibly hinting an affiliation with Russia. However, they also noted that Cuckoo establishes persistence via LaunchAgent, which was already seen in RustBucket, XLoader, JaskaGO, and a backdoor similar to ZuRu - a Chinese threat actor.
Further adding credence to the China theory is the fact that the malware was signed with a legitimate Chinese developer ID:
"Each malicious application contains another application bundle within the resource directory," the researchers said. "All of those bundles (except those hosted on fonedog[.]com) are signed and have a valid Developer ID of Yian Technology Shenzhen Co., Ltd (VRBJ4VRP)."
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
"The website fonedog[.]com hosted an Android recovery tool among other things; the additional application bundle in this one has a developer ID of FoneDog Technology Limited (CUAU2GTG98)."
Via The Hacker News
More from TechRadar Pro
- Apple macOS users targeted with more cyberattacks via dodgy ads and websites
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.