The web is teeming with spyware posing as legitimate, valuable applications.
Kandji, an Apple device management and security platform, identified a new spyware-cum-infostealer that targets both Intel and ARM Macs.
They codenamed the spyware “Cuckoo” because it infects the host system and steals its resources, much like the bird.
What’s Cuckoo Spyware’s Disguise?
Cuckoo disguises itself as a Mach-o binary, an executable format designed for Apple systems.
Kandji researchers started with a file named DumpMediaSpotifyMusicConverter, also called “upd” uploaded to Virus Total.
It tracks and records the data from iCloud Keychain, Apple Notes, web browsers, and crypto wallets.
Even apps like Discord, FileZilla, Steam, and Telegram are its target. Kandji researchers note that the spyware mutes the system sound to capture screenshots.
It also launches the app to cover its tracks and act like nothing happened.
Upon searching the web, they found that it was hosted on a website that offered apps to convert music from streaming services to MP3.
The suspected websites offer free and paid versions of applications to rip music from streaming services and for iOS and Android recovery. Here are some of them:
- dumpmedia[.]com
- Tunesolo[.]com
- Fonedog[.]com
- Tunesfun[.]com
- Tunefab[.]com
All the app bundles on these sites have a Developer ID of Yian Technology Shenzhen Co., Ltd (VRBJ4VRP). App bundles on Fonedog have a different ID: FoneDog Technology Limited (CUAU2GTG98).
After downloading a Spotify to mp3 application, they opened the disk image file and were surprised to find the same “upd” file along with the actual app.
The malicious binary didn’t run because Gatekeeper blocked it. After granting manual permission, the app checked for the locale to determine the user’s country.
Surprisingly, Cuckoo won’t run if the system belongs to any of the following countries:
- Armenia
- Belarus
- Kazakhstan
- Russia
- Ukraine
Cuckoo Wants to Know Everything
This spyware is designed to capture as much information as possible and send it to the Command and control server.
Cuckoo can determine your exact hardware information, get the list of installed apps, and capture currently running processes.
Searching for tools to extract audio or video from a streaming service to MP3 or other desired format is common, and the attackers wanted to capitalize on this interest.
Avoid downloading apps from untrustworthy sites to protect your Mac from spyware like Cuckoo.