Hackers have been observed targeting Mac devices running on both Intel and ARM silicon with brand new infostealer malware.
Mac security provider Kandji discovered the malware and named it Cuckoo. “This malware asks for specific files associated with specific applications, in an attempt to gather as much information as possible from the system,” the researchers said in their report. report.
Among the information it collects are hardware information, currently running processes, and installed applications. Additionally, Cuckoo can take screenshots and collect data from iCloud keychains, Apple Notes, web browsers, various apps (Discord, Telegram, Steam and more), and cryptocurrency wallets.
Russia or China?
To spread the malware, the threat actors set up a number of malicious sites, where the code is advertised as a program for ripping music from streaming services and converting it into .MP3. It is also advertised as having both a free and paid version.
While the researchers did not explicitly attribute the campaign to a specific threat actor, they did note that the infostealer does not work if the infected device is in Armenia, Belarus, Kazakhstan, Russia and Ukraine, possibly indicating an association with Russia. However, they also noted that Cuckoo establishes persistence via LaunchAgent, which has already been seen in RustBucket, XLoader, JaskaGO, and a backdoor similar to ZuRu – a Chinese threat actor.
What makes the Chinese theory even more credible is the fact that the malware is signed with a legitimate Chinese developer ID:
“Each malicious application contains a different application bundle within the source folder,” the researchers said. “All these bundles (except those hosted on fonedog(.)com) are signed and have a valid developer ID from Yian Technology Shenzhen Co., Ltd (VRBJ4VRP).”
“The website fonedog(.)com hosted, among other things, an Android recovery tool; the additional application bundle in this one has a developer ID of FoneDog Technology Limited (CUAU2GTG98).”
Through The hacker news