Cuckoo Stealer

Cuckoo Stealer is a macOS malware with characteristics of spyware and an infostealer that has been in use since at least 2024. Cuckoo Stealer is a universal Mach-O binary that can run on Intel or ARM-based Macs and has been spread through trojanized versions of various potentially unwanted programs or PUP's such as converters, cleaners, and uninstallers.[1][2]

ID: S1153
Type: MALWARE
Platforms: macOS
Contributors: Takemasa Kamatani, NEC Corporation; Sareena Karapoola, NEC Corporation India; Pooja Natarajan, NEC Corporation India
Version: 1.0
Created: 20 August 2024
Last Modified: 28 October 2024

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Cuckoo Stealer can use the curl API for C2 communications.[1]

Enterprise T1217 Browser Information Discovery

Cuckoo Stealer can collect bookmarks, cookies, and history from Safari.[1]

Enterprise T1059 .002 Command and Scripting Interpreter: AppleScript

Cuckoo Stealer can use osascript to generate a password-stealing prompt, duplicate files and folders, and set environmental variables.[1][2]

.004 Command and Scripting Interpreter: Unix Shell

Cuckoo Stealer can spawn a bash shell to enable execution on compromised hosts.[1]

Enterprise T1543 .001 Create or Modify System Process: Launch Agent

Cuckoo Stealer can achieve persistence by creating launch agents to repeatedly execute malicious payloads.[1][2]

Enterprise T1555 .001 Credentials from Password Stores: Keychain

Cuckoo Stealer can capture files from a targeted user's keychain directory.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

Cuckoo Stealer has staged collected application data from Safari, Notes, and Keychain to /var/folder.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Cuckoo Stealer strings are deobfuscated prior to execution.[1][2]

Enterprise T1041 Exfiltration Over C2 Channel

Cuckoo Stealer can send information about the targeted system to C2 including captured passwords, OS build, hostname, and username.[1]

Enterprise T1083 File and Directory Discovery

Cuckoo Stealer can search for files associated with specific applications.[1][2]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

Cuckoo Stealer has copied its binary and the victim's scraped password into a hidden folder in the /Users directory.[1][2]

Enterprise T1056 .002 Input Capture: GUI Input Capture

Cuckoo Stealer has captured passwords by prompting victims with a "macOS needs to access System Settings" GUI window.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Cuckoo Stealer has copied and renamed itself to DumpMediaSpotifyMusicConverter.[1][2]

Enterprise T1095 Non-Application Layer Protocol

Cuckoo Stealer can use sockets for communications to its C2 server.[1]

Enterprise T1027 .008 Obfuscated Files or Information: Stripped Payloads

Cuckoo Stealer is a stripped binary payload.[1][2]

.013 Obfuscated Files or Information: Encrypted/Encoded File

Cuckoo Stealer strings are XOR-encrypted.[1][2]

Enterprise T1647 Plist File Modification

Cuckoo Stealer can create and populate property list (plist) files to enable execution.[1][2]

Enterprise T1057 Process Discovery

Cuckoo Stealer can use ps aux to enumerate running processes.[1]

Enterprise T1113 Screen Capture

Cuckoo Stealer can run screencapture to collect screenshots from compromised hosts. [1]

Enterprise T1518 Software Discovery

Cuckoo Stealer has the ability to search systems for installed applications.[1]

Enterprise T1553 .001 Subvert Trust Controls: Gatekeeper Bypass

Cuckoo Stealer can use xattr -d com.apple.quarantine to remove the quarantine flag attribute.[1][2]

Enterprise T1082 System Information Discovery

Cuckoo Stealer can gather information about the OS version and hardware on compromised hosts.[1][2]

Enterprise T1614 System Location Discovery

Cuckoo Stealer can determine the geographical location of a victim host by checking the language.[1]

.001 System Language Discovery

Cuckoo Stealer can check the systems LANG environmental variable to prevent infecting devices from Armenia (hy_AM), Belarus (be_BY), Kazakhstan (kk_KZ), Russia (ru_RU), and Ukraine (uk_UA).[1]

Enterprise T1033 System Owner/User Discovery

Cuckoo Stealer can discover and send the username from a compromised host to C2.[1]

Enterprise T1569 .001 System Services: Launchctl

Cuckoo Stealer can use launchctl to load a LaunchAgent for persistence.[1]

References