New Cuckoo macOS malware can take over all Macs and steals your passwords too — don’t fall for this

MacBook Air 15-inch M2 on a bench
(Image credit: Tom's Guide)

Hackers are using a new Mac malware to launch attacks against both newer Macs running Apple Silicon as well as older Intel-based Macs.

As reported by The Hacker News, the malware in question has been dubbed Cuckoo by security researchers at the device management company Kandji. Besides targeting both newer and older Macs, what sets Cuckoo apart is that it behaves like a cross between infostealer malware and spyware.

In a blog post, Kandji’s Adam Kohler and Christopher Lopez explain that they came across a previously undetected malicious Mach-O binary on the malware-tracking site VirusTotal with the name “DumpMedia Spotify Music Converter.” They then looked up the program’s name online and found that it was being distributed from a site called dumpmedia[.]com which offers multiple apps to help users pirate music from streaming services by converting them into MP3 files.

While the Cuckoo malware is currently being spread on music piracy sites, this campaign could easily be changed to distribute it through other fake apps. Here’s everything you need to know about this new Mac malware threat including some tips on how you can keep your own Mac virus free.

Establishing persistence and escalating privileges

After downloading the DumpMedia Spotify Music Converter app, the researchers discovered it contained an application bundle. This is interesting as normally, macOS apps just need to be dragged into the Applications folder — in contrast, this one encourages users to right click on it and then click open.

The app found in the bundle was signed without a developer ID which means that Apple’s Gatekeeper will try to stop it from running. However, if a user allows it to run on their computer manually, the malware will then run its course.

Just like the MacStealer malware, Cuckoo uses a script to display a fake password prompt to trick users into entering their system password. If the hackers behind this malware do get a victim’s system password, they can then escalate the malware’s privileges on the infected machine.

Cuckoo then takes note of the apps installed on the now compromised Mac, takes screenshots and harvests data from iCloud Keychain, Apple Notes, web browsers, crypto wallets and apps like Discord, FileZilla, Steam and Telegram.

It’s also worth noting that Cuckoo uses a technique called LaunchAgent to establish persistence on an infected Mac. This way, even if you reboot your computer, the malware will still run the next time you turn your Mac on. Likewise, the malware checks to make sure that the targeted Mac isn’t located in Armenia, Belarus, Kazakhstan, Russia or Ukraine before it begins stealing sensitive data.

How to stay safe from Mac malware

A padlock resting next to the Apple logo on the lid of a gold-colored Apple laptop.

(Image credit: robert coolen/Shutterstock)

As is often the case with other malware strains, Cuckoo is currently being spread on piracy sites. Besides being illegal and harmful to creators, pirating content online is usually a surefire way to end up with a nasty malware infection.

While your Mac comes with built-in antivirus software in the form of Apple’s XProtect, you might also want to consider using one of the best Mac antivirus software solutions as well. These paid antivirus programs tend to receive updates more regularly, come with more features and often give you access to extras like a VPN or password manager.

We could see the hackers behind this campaign come up with another way to distribute the new Cuckoo malware like through phishing emails or malicious apps. For right now though, if you avoid sites that offer a way to download music from streaming services, you should be safe.

More from Tom's Guide

Contract Length
Showing 2 of 2 deals
Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.