Cuckoo Malware Detection: New macOS Spyware & Infostealer Targeting Intel and ARM-Based Macs 

Cybersecurity researchers have recently uncovered a novel malicious strain dubbed Cuckoo malware, which mimics the capabilities of spyware and an infostealer and can run on both Intel and Arm-based Mac computers.

Detect Cuckoo Malware

The surge in ongoing infostealing attacks using macOS malware fuels the need for strengthening defenses. SOC Prime Platform curates a set of detection algorithms to help defenders timely identify suspicious activity related to the new “Cuckoo” persistent macOS spyware, which also has infostealing capabilities. 

Detections are mapped to the MITRE ATT&CK® framework v.14.1 and enriched with in-depth metadata. To accelerate Detection Engineering operations, you can also automatically convert the detection code into multiple SIEM, EDR, and Data Lake formats. 

Click the Explore Detections button to access relevant Sigma rules filtered by the “cuckoo malware” tag and help your organization proactively thwart macOS-targeted attacks.

Explore Detections

Cuckoo Malware Analysis

Kandji researchers have recently stumbled upon a novel malicious Mach-O binary skillfully crafted to mimic the functionalities of spyware and an infostealer. Defenders called the new malware “Cuckoo,” drawing inspiration from the behavior of the Cuckoo bird, which lays its eggs in the nests of other birds, exploiting their resources for the benefit of its offspring.

The precise malware distribution method remains currently uncertain. However, researchers have identified that the malicious Mach-O binary is being hosted on a set of websites that deliver both free and paid versions of applications specialized in extracting music from streaming services and converting it into MP3 format.

Upon downloading the disk image file from these websites, a bash shell is spawned. Attackers employ the latter to collect data about the host system and to ensure that the impacted system has locations other than Armenia, Kazakhstan, russia, Belarus, or Ukraine before running the malicious binary. 

Info-stealing malicious strains do not normally establish persistence, which is more typical of spyware. However, the recently identified Cuckoo malware has been observed displaying such an uncommon behavior. Cuckoo leverages a LaunchAgent for persistence, a method previously employed by various malware families, such as XLoader, JaskaGO, or RustBucket.

For privilege escalation, Cuckoo leverages osascript to present a deceptive password prompt similar to the MacStealer macOS malware. The Cuckoo malware employs sophisticated tactics and can execute a series of commands to gather hardware information, capture running processes, search for installed applications, and collect data from diverse sources, including web browsers, cryptocurrency wallets, and popular software applications. The malware leverages sockets and the curl API for communication back to its C2 server. 

Notably, each uncovered weaponized application harbors an additional application bundle within its resource directory. Defenders suggest that there may be more websites and applications distributing Cuckoo that have not yet been uncovered, which stresses the need for proactive defensive measures. 

Rely on SOC Prime’s complete product suite for AI-powered Detection Engineering, Automated Threat Hunting, and Detection Stack Validation to preempt intrusions and always keep a finger on the pulse of the ever-evolving digital landscape.