Cybersecurity researchers at Intego have discovered new variants of the dreaded Cuckoo malware targeting macOS users.
For those unfamiliar with the name, Cuckoo is an infostealer that targets Mac devices running on both Intel and ARM silicon.
Intego researchers now participation they found a new variant masquerading as Homebrew, a popular macOS software package manager. The attackers set up a fake landing page, seemingly identical to the authentic Homebrew page, where the infostealer was deployed.
Poisoning Google Ads
In early May 2024, Mac security provider Kandji said the malware “requests specific files associated with specific applications, in an attempt to gather as much information as possible from the system.” Apparently Cuckoo was looking for hardware information, currently running processes, and installed applications.
Key features include the ability to take screenshots, collect data from iCloud Keychains, Apple Notes, web browsers, various apps (Discord, Telegram, Steam and more) and grab cryptocurrency wallet data.
The threat was spread via fake software, a program that claimed to be able to rip music from streaming services into .MP3 files.
While setting up a fake website is easy, getting people to visit it is infinitely harder. Intego believes that in order to get people to visit the website, the attackers engaged in Google Ads poisoning, accessing and modifying (or modifying) Google Ads accounts with approved and running campaigns. ran new campaigns) to generate traffic.
“We encourage consumers to ditch the habit of ‘just Googling’ to find legitimate sites,” the researchers said. “Such habits often include clicking the first link without thinking much about it, thinking that Google won’t lead them astray and give them the right result at the top. Malware makers of course know this and that is why they pay Google for the number one position.”
Instead of Googling popular websites, users are advised to type in the address themselves or bookmark the sites.