Another nasty Mac malware is spoofing legitimate software to target macOS users

 Illustration of a laptop with a magnifying glass exposing a beetle on-screen.
Illustration of a laptop with a magnifying glass exposing a beetle on-screen.

Cybersecurity researchers from Intego have discovered new variants of the dreaded Cuckoo malware that targets macOS users.

For those unfamiliar with the name, Cuckoo is an infostealer targeting Mac devices running both on Intel and ARM silicon.

Intego’s researchers now say they have found a new variant that was pretending to be Homebrew, a popular macOS software package manager. The attackers set up a fake landing page, seemingly identical to the authentic Homebrew page, which deployed the infostealer.

Poisoning Google Ads

In early May 2024, Mac security provider Kandji said the malware “queries for specific files associated with specific applications, in an attempt to gather as much information as possible from the system." Apparently, Cuckoo was looking for hardware information, currently running processes, and installed applications.

Among its key features are the ability to take screenshots, harvest data from iCloud Keychains, Apple notes, web browsers, different apps (Discord, Telegram, Steam, and more), and grab cryptocurrency wallet data.

The threat was being distributed via fake software, a program claiming to be able to rip music from streaming services into .MP3 files.

While setting up a fake website is easy, getting people to visit it is infinitely harder. Intego believes that to get people to visit the website, the attackers engaged in Google Ads poisoning, obtaining access to Google Ads accounts with cleared and running campaigns, and modifying them (or running new campaigns) to generate traffic.

“We recommend that consumers get out of the habit of “just Google it” to find legitimate sites,” the researchers said. “Such habits often include clicking on the first link without giving it much thought, under the assumption that Google won’t lead them astray, and will give them the correct result right at the top. Malware makers know this, of course, and that’s why they’re paying Google for the number-one position.”

Instead of Googling popular websites, users are advised to type in the address themselves, or to bookmark the sites.

More from TechRadar Pro