Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware

MITRE Techniques

• [T1547.001] Launch Agent – Persistence via LaunchAgents plist and launchctl load -w to run every 60 seconds. Quote: “launchctl load -w “/Users/test/Library/LaunchAgents/com.dumpmedia.spotifymusicconverter.plist””
• [T1059.004] Unix Shell – Execution through a bash shell and system_profiler usage to gather hardware UUID. Quote: “spawned a bash shell and started to gather host information using the system_profiler command to gather the hardware UUID.”
• [T1059.005] AppleScript – AppleScript/osascript prompts for credentials and interacts with system prompts. Quote: “osascript to ask the user for their password using the prompt “macOS needs to access System Settings.””
• [T1113] Screen Capture – Uses screencapture to capture the screen and save images. Quote: “The malware then proceeds to look for various file-type extensions… It will then unmute the computer by running the screencapture command.”
• [T1036] Masquerading – Masquerades as legitimate DumpMedia Spotify Music Converter by duplicating the legitimate app into /Applications and opening it. Quote: “the malware copies the legitimate version of the application that was found in the resource folder to the /Application directory. It then launches the application.”
• [T1083] File and Directory Discovery – Discovers and enumerates directories and files (e.g., /Applications, Safari data, Keychains, Notes). Quote: “openDir_readDir(DirectoryOpen: &DirectoryOpen, “*”, avoid_DS_Store, &var_2b0, 0x3e7)”
• [T1056] Input Capture – Password collection via pw.dat after prompting the user; credential verification via Core Services Identity. Quote: “PasswordCapture() is executed… passwordChecker() function uses Core Services Identity functions to determine if the captured password is correct”
• [T1041] Exfiltration Over C2 – Uses curl to post data to a remote C2; includes the target URL. Quote: “http://146.70.80.123/static.php” and “curl_easy_setopt(curlHandle, …)”
• [T1027] Obfuscated/Compressed Files and Information – XOR encoding decodes strings and commands at runtime. Quote: “The strings are XOR-encoded; the output of the command above is set up and decoded in this subroutine.”