The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Cuckoo: Part Infostealer, Part Spyware

May 13, 2024 2:20:01 PM / by The Hivemind

CUCKOO

Executive Summary

Cuckoo is a recently discovered infostealer and spyware hybrid targeting MacOS systems.

Key Takeaways

  • Cuckoo is a recently discovered malware family targeting MacOS systems.
  • Cuckoo functions as part infostealer, part spyware. 
  • Cuckoo uses a universal binary that can target both Intel and ARM architectures.
  • Cuckoo uses a LaunchAgent to create persistence. 

What is Cuckoo?

Cuckoo is a recently discovered malware family targeting MacOS systems. Kandji recently reported on Cuckoo, describing it as a cross between an infostealer and spyware. 

Cuckoo, which was originally detected in late April, is a malicious Mach-O binary. The original file Kandji examined was DumpMediaSpotifyMusicConverter, also named upd. It is a universal binary that can target both Intel and ARM architectures. The application is advertised as being capable of converting music from streaming services, such as Spotify, to MP3 format.

According to Kandji, the DMG they downloaded contained an application bundle. Rather than the typical method of dragging the application to the /Applications directory, the installation instructions tell the user to right-click on the application and click Open. The bundle contains a file called upd. The upd file is signed with no developer ID, meaning Gatekeeper will not allow the app to run without manual approval from the user. 

When the application runs, it spawns a bash shell and gathers host information. Stealers do not typically create persistence on the victim machine. However, Cuckoo creates persistence using a LaunchAgent. Cuckoo’s spyware functions include but are not limited to screenshotting, accessing downloads, cookies, browser history, and the victim device’s microphone. Other stolen information includes but is not limited to Keychain data, Notes, Safari data, crypto wallets, and communications app data. For privilege escalation, Cuckoo uses osascript to create a fake password prompt, tricking victims into entering their system passwords. 

At this time, Cuckoo has not been attributed to a particular threat actor. However, it is interesting to note that the malware checks user locale and will not infect devices located in Armenia, Belarus, Kazakhstan, Russia, or Ukraine. If the user is located in one of these countries, the binary opens a legitimate music converter application. 

IOCs

PolySwarm has a sample of Cuckoo.

 

1827db474aa94870aafdd63bdc25d61799c2f405ef94e88432e8e212dfa51ac7

 

You can use the following CLI command to search for all Cuckoo samples in our portal:

$ polyswarm link list -f Cuckoo

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Infostealer, Spyware, MacOS, Cuckoo

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts