Another nasty Mac malware is spoofing legitimate software to target macOS users

Illustration of a laptop with a magnifying glass exposing a beetle on-screen
(Image credit: Shutterstock / Kanoktuch)

Cybersecurity researchers from Intego have discovered new variants of the dreaded Cuckoo malware that targets macOS users.

For those unfamiliar with the name, Cuckoo is an infostealer targeting Mac devices running both on Intel and ARM silicon. 

Intego’s researchers now say they have found a new variant that was pretending to be Homebrew, a popular macOS software package manager. The attackers set up a fake landing page, seemingly identical to the authentic Homebrew page, which deployed the infostealer.

Poisoning Google Ads

In early May 2024, Mac security provider Kandji said the malware “queries for specific files associated with specific applications, in an attempt to gather as much information as possible from the system." Apparently, Cuckoo was looking for hardware information, currently running processes, and installed applications. 

Among its key features are the ability to take screenshots, harvest data from iCloud Keychains, Apple notes, web browsers, different apps (Discord, Telegram, Steam, and more), and grab cryptocurrency wallet data.

The threat was being distributed via fake software, a program claiming to be able to rip music from streaming services into .MP3 files.

While setting up a fake website is easy, getting people to visit it is infinitely harder. Intego believes that to get people to visit the website, the attackers engaged in Google Ads poisoning, obtaining access to Google Ads accounts with cleared and running campaigns, and modifying them (or running new campaigns) to generate traffic.

“We recommend that consumers get out of the habit of “just Google it” to find legitimate sites,” the researchers said. “Such habits often include clicking on the first link without giving it much thought, under the assumption that Google won’t lead them astray, and will give them the correct result right at the top. Malware makers know this, of course, and that’s why they’re paying Google for the number-one position.”

Instead of Googling popular websites, users are advised to type in the address themselves, or to bookmark the sites.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.