Cuckoo Stealer is a new macOS infostealer/spyware family that is expanding through trojanized apps and malicious installers. It combines XOR-based obfuscation, AppleScript abuse, and Launch Agent persistence to steal data while avoiding basic defenses. #CuckooStealer #macOS #LaunchAgent #AppleScript #XOR #SentinelOne
Keypoints
- The Cuckoo Stealer campaign has produced an increasing number of trojanized macOS apps (18 observed at the time of writing) delivering a malicious binary named upd.
- The malware uses heavy XOR-based string obfuscation and a decrypt routine to hide its behavior, facilitating dynamic string decryption during execution.
- AppleScript is used to duplicate files and to capture the user’s admin password in plain text, with a dialog-based user prompt technique.
- The password is stored in clear text at a hidden path under the user’s home directory (e.g., ~/.local-UUID/pw.dat).
- Persistence is implemented via a LaunchAgent (com.user.loginscript) pointing to the upd binary in the hidden directory.
- The malware leverages Living Off the Land tools (xattr, osascript, system_profiler) for discovery and information gathering.
MITRE Techniques
- [T1059.005] AppleScript – The malware uses AppleScript to duplicate files/folders of interest and to steal the user’s admin password in plain text. [“The malware is using many of the same techniques… it makes various uses of AppleScript to duplicate files and folders of interest and to steal the user’s admin password in plain text.”]
- [T1082] System Information Discovery – Discovery of hardware UUID via system_profiler/awk to extract hardware identifiers. [“Discovery of Hardware UUID (via System Profiler)” and command examples shown]
- [T1027] Obfuscated/Compressed Files and Information – Heavy use of XOR’d strings to hide main strings and functionality; decrypt routine is invoked many times. [“heavy use of XOR’d strings in an attempt to hide its behavior… decrypt routine” ]
- [T1543.003] Launch Agent – Persistence via a LaunchAgent with the label com.user.loginscript, pointing to the upd binary. [“persistence LaunchAgent with the label com.user.loginscript” ]
- [T1555.001] Credentials in Files – Admin password scraped by the malware is saved in clear text in pw.dat inside a hidden local directory. [“The scraped password is then saved in clear text in a file named pw.dat in a hidden subfolder” ]
- [T1005] Data from Local System – The malware targets a set of file extensions (e.g., wallet, pdf, json, etc.) indicating data collection from the host. [“an array of file extensions… indicate the kind of information the malware authors are interested in stealing” ]
Indicators of Compromise
- [Bundle Identifier] context – upd.upd
- [Observed Application Names] context – App Uninstaller.app, DumpMedia Amazon Music Converter.app, DumpMedia DeezPlus.app, and 12 more items
- [Observed Mach-Os (SHA1)] context – 04a572b2a17412bba6c875a43289aac521f7b98d, 0e3e58a2b19072823df2ec52f09e51acf0d0d724, and many more hashes
- [Observed XOR Keys] context – 0dhIscuDmR6xn3VMAG9ZYjBKC4VDeXGbyDyWjHM, 4E72G6aXPne5ejcUgAfae6khJB3c871V0QUmkI, and many more