A dangerous new malware is targeting Macs of all kinds — here’s how to stay safe

Be wary of .MP3 ripping software on Mac

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Hackers have been observed targeting Mac devices running on bothIntelandARMsilicon with brand new infostealermalware.

Mac security provider Kandji discovered the malware and dubbed it Cuckoo. “This malware queries for specific files associated with specific applications, in an attempt to gather as much information as possible from the system,” the researchers said in theirreport.

Among the information it pulls is hardware information, currently running processes, and installed applications. Furthermore, Cuckoo is capable of taking screenshots, harvesting data fromiCloudKeychains,Applenotes,web browsers, different apps (Discord, Telegram, Steam, and more), and cryptocurrency wallets.

Russia, or China?

To distribute the malware, the threat actors set up a number of malicious sites, where the code is advertised as a program for ripping music from streaming services and converting it into .MP3. It is also being advertised as having both a free and a paid version.

While the researchers did not explicitly attribute the campaign to any particular threat actor, they did note that the infostealer fails to run if the infected device is located in Armenia, Belarus, Kazakhstan, Russia, and Ukraine, possibly hinting an affiliation with Russia. However, they also noted that Cuckoo establishes persistence via LaunchAgent, which was already seen in RustBucket, XLoader, JaskaGO, and a backdoor similar to ZuRu - a Chinese threat actor.

Further adding credence to the China theory is the fact that the malware was signed with a legitimate Chinese developer ID:

“Each malicious application contains another application bundle within the resource directory,” the researchers said. “All of those bundles (except those hosted on fonedog[.]com) are signed and have a valid Developer ID of Yian Technology Shenzhen Co., Ltd (VRBJ4VRP).”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“The website fonedog[.]com hosted an Android recovery tool among other things; the additional application bundle in this one has a developer ID of FoneDog Technology Limited (CUAU2GTG98).”

ViaThe Hacker News

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Don’t search for information on cats at work — you could be at risk of being hacked

This dangerous new malware is hitting Windows devices by hiding in games

Undermining your privacy? Session says no and leaves Australia