Thursday, May 9, 2024

Cuckoo Malware

Adam Kohler and Christopher Lopez:

The downloaded DMG contains an application bundle. Normally, macOS applications instruct the user to drag such apps into the /Applications folder. But in this case, it tells the user to right-click on it and click Open.


Looking into the upd file in the original bundle, we found that it is signed adhoc with no developer ID. This means that Gatekeeper will initially stop the app from running and require the user to manually allow it.


The application then creates a new copy of upd, renames it DumpMediaSpotifyMusicConverter, and places it in a hidden folder in the /Users directory. This is why it sometimes appears as upd and other times as DumpMediaSpotifyMusicConverter. The original upd will then use xattr -d to remove the quarantine flag from itself and from the copy of DumpMediaSpotifyMusicConverter.


From here, upd uses osascript to ask the user for their password using the prompt “macOS needs to access System Settings.”

It sends data and even screen captures back to a server, muting the volume so the user doesn’t know a screenshot was being taken.

1 Comment RSS · Twitter · Mastodon

All this does is give Apple more (bullshit) justification to remove the ability to run unsigned/ad-hoc applications.

The day they announce that is the day I throw all my Macs in the trash.

Leave a Comment