Cybersecurity experts have identified a new information stealer targeting Apple macOS computers that is intended to establish persistence on compromised hosts and function as spyware.
Kandji’s malware, dubbed Cuckoo, is a universal Mach-O binary that can execute on both Intel and Arm Macs.
The exact distribution vector is currently unknown, but there are indications that the binary is hosted on sites such as dumpmedia[.]com, tunesolo[.]com, fonedog[.]com, tunesfun[.]com, and tunefab[.]com, which claim to provide free and paid versions of applications for ripping music from streaming services and converting it to MP3 format.
The disk image file downloaded from the websites is responsible for spawning a bash shell to collect host data and ensuring that infected machines are not located in Armenia, Belarus, Kazakhstan, Russia, Ukraine.
The malicious binary is executed only if the locale check is successful.
It also achieves persistence through the use of a LaunchAgent, a strategy previously employed by other malware families such as RustBucket, XLoader, JaskaGO, and a macOS backdoor that bears similarities with ZuRu.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: