Cuckoo Malware
Adam Kohler and Christopher Lopez:
The downloaded DMG contains an application bundle. Normally, macOS applications instruct the user to drag such apps into the /Applications folder. But in this case, it tells the user to right-click on it and click Open.
[…]
Looking into the upd file in the original bundle, we found that it is signed adhoc with no developer ID. This means that Gatekeeper will initially stop the app from running and require the user to manually allow it.
[…]
The application then creates a new copy of
upd, renames it DumpMediaSpotifyMusicConverter, and places it in a hidden folder in the /Users directory. This is why it sometimes appears asupdand other times as DumpMediaSpotifyMusicConverter. The originalupdwill then usexattr -d com.apple.quarantineto remove the quarantine flag from itself and from the copy of DumpMediaSpotifyMusicConverter.[…]
From here,
updusesosascriptto ask the user for their password using the prompt “macOS needs to access System Settings.”
It sends data and even screen captures back to a server, muting the volume so the user doesn’t know a screenshot was being taken.
All this does is give Apple more (bullshit) justification to remove the ability to run unsigned/ad-hoc applications.
The day they announce that is the day I throw all my Macs in the trash.