Cybersecurity experts at Intego have identified new variants of the infamous Cuckoo malware targeting macOS users.
For those unaware, Cuckoo is an info stealer that affects Mac devices on both Intel and ARM silicon.
Intego’s researchers recently found a variant pretending to be Homebrew, a well-known macOS software package manager. The attackers created a fake landing page identical to the real Homebrew page to deploy the infostealer.
Poisoning Google Ads
In May 2024, Mac security provider Kandji reported the malware searches for files linked to specific apps, aiming to gather extensive system information. Cuckoo targets hardware details, running processes, and installed applications.
Key features include taking screenshots, accessing iCloud Keychains, Apple notes, web browsers, various apps (Discord, Telegram, Steam), and collecting cryptocurrency wallet data.
The malware spread through fake software claiming to convert streaming music into .MP3 files.
While creating a fake website is simple, driving traffic to it is challenging. Intego suggests attackers used Google Ads poisoning, taking over Google Ads accounts to redirect users to the fake site.
“Consumers should avoid ‘just Googling it’ to find legitimate sites,” the researchers advised. “People often click the first link, trusting Google to provide the correct result. Malware creators exploit this, paying Google for the top spot.”
Users should type website addresses directly or bookmark trusted sites instead of relying on search engines.
