Intego discovers new “Cuckoo” Mac malware mimicking Homebrew
Posted on by Joshua Long
In recent months, we’ve written a lot about stealer malware that infects Macs. One malware family that frequently resurfaces is Atomic Stealer, or AMOS (short for Atomic macOS Stealer). AMOS is designed to exfiltrate sensitive data from infected Macs; this typically includes things like saved passwords, cookies, autofill text, and cryptocurrency wallets. Recent headlines have used the malware or campaign name “Cuckoo” to describe some variants of the AMOS family.
Cuckoo malware, like other AMOS variants, is distributed in the form of Trojan horses, often masquerading as supposedly pirated or “cracked” versions of apps. In recent months, numerous Trojan horses have pretend to be various legitimate apps; they employ elaborate campaigns, leveraging malicious Google Ads that link to lookalike homepages with Trojan downloads.
Yesterday, Intego began tracking new Cuckoo variants that have not been written about elsewhere. Here’s everything you need to know about Cuckoo, and how to stay protected.
In this article:
- A brief history of Cuckoo Mac malware
- Intego discovers a new Cuckoo variant
- Source of these new Cuckoo infections
- How can I keep my Mac safe from Cuckoo and other malware?
- Indicators of compromise (IOCs)
- Do security vendors detect this by any other names?
- How can I learn more?
A brief history of Cuckoo Mac malware
Atomic macOS Stealer (AMOS, or AtomicStealer) first surfaced in late April 2023, just over a year ago. At the time, a threat actor began selling it via Telegram as malware as a service, licensable for $1,000 per month.
Since then, we’ve seen lots of AMOS variants emerge. We wrote about later campaigns in September 2023 and February 2024, and we often discuss it on the Intego Mac Podcast.
Earlier this month, we wrote about a previously undocumented AMOS variant that Intego’s research team discovered.
Most often, AMOS malware is distributed through malicious Google Ads campaigns. These poisoned Google ads appear at the top of search results, where many people will see and click on them. In some cases, the ads are virtually indistinguishable from legitimate Google Ads run by the real software companies they mimic.
Beginning a few weeks ago, in late April, a few antivirus vendors began calling some AMOS variants by the name Cuckoo.
A new Cuckoo variant emerges
Just yesterday, on the morning of Wednesday, May 15, a researcher named Alden wrote on social media about a blog post he had just published. Alden described this new campaign as distributing “Cuckoo and AtomicStealer.”
In his blog post, Alden wrote that someone had submitted a file to VirusTotal that contacted a suspicious domain that mimics the homepage of Homebrew, a popular macOS software package manager. The page tries to trick users into copying and pasting a command from the site into their Mac’s Terminal app.
While that might sound ridiculously suspicious and dangerous—and it normally would be—the legitimate Homebrew software is actually installed in this exact way. The lookalike page was so convincing that Alden himself, a professional malware researcher, said he would have fallen for it.
Compare for yourself. Would you have guessed correctly which is real, and which is fake?
Interestingly, this is not the first time that malware makers have mimicked Homebrew. In 2020, threat actors used another domain that was similar to that of the real Homebrew site, as part of a typosquatting campaign. Additionally, back in 2017, Mac malware known as Dok used “homebrew” in the filename of one of its LaunchAgents.
Intego discovers new Cuckoo variants
While conducting our own research based on Alden’s findings, Intego discovered that the shell script dropper and the initial Mach-O binary had both changed already from what were originally hosted on the lookalike site, merely hours after Alden’s social media post went live.
The new version of the bash script (the install.sh
file) only had a minor, insignificant change, possibly to evade rudimentary antivirus protection based on whole-file hashes. The SHA-256 hash for the new variant is 1ea41635116b43afd1e50ed9dec1534699fb1958bd777971dd0fb7bc0ed104ec
.
But where things get interesting is the Mach-O binary (the brewinstaller
file) distributed through the site.
Of course, it still has the usual infostealer functionality: gathering wallets, passwords, and other sensitive data, and exfiltrating them to the malware maker. But what’s new in the updated sample we discovered is that it adds additional functionality to behave differently if it’s run within a virtual machine. In particular, it checks whether it’s running within a VirtualBox, VMware, or Parallels virtual environment. Most of the time, when an app contains VM detection, it’s to make the app more difficult for reverse engineers or malware analysts to investigate.
One can imagine that perhaps the malware maker might have seen Alden’s blog post, and added the anti-VM capability to make it a little more difficult for malware analysts to pick apart.
This new Cuckoo Mach-O variant that checks whether it’s running within a VM has the SHA-256 hash 513bb09807c9c343fccf7df30f687ea490125745e5ae02177c92efeb514e4b30
.
Intego also found several additional new Cuckoo samples through our own threat hunting efforts; see the full list of new hashes in the IOCs section below.
Source of these new Cuckoo infections
Although we haven’t yet definitively confirmed this, it’s likely that the team behind this campaign is up to its usual tricks, including Google Ads poisoning. Threat actors often pay Google for top placement, with sponsored ads disguised as real ads for legitimate software. These ads appear immediately above the actual search results; if you aren’t careful, you could inadvertently visit a malware distribution site instead of landing on the real software developer’s site.
We recommend that everyone get out of the habit of “just Google it” to find legitimate sites. Such habits often include clicking on the first link without giving it much thought, under the assumption that Google won’t lead them astray, and will give them the correct result right at the top. Malware makers know this, of course, and that’s why they’re paying Google for the number-one position.
Until or unless Google does a much better job of vetting its ads, a better practice than “Google it” would be to bookmark trusted sites whenever possible, and to go back to those bookmarks in the future.
How can I keep my Mac safe from Cuckoo and other malware?
If you use Intego VirusBarrier, you’re already protected from this malware. Intego detects these samples as OSX/Amos.ext, OSX/Amos.gen, OSX/PSW.ext, virus/OSX/AVA.Agent.qtqz, virus/OSX/AVI.Agent.emto, and similar names.
Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, is a powerful solution designed to protect against, detect, and eliminate Mac malware.
If you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It runs natively on both Intel- and Apple silicon-based Macs, and it’s compatible with Apple’s current Mac operating system, macOS Sonoma.
One of VirusBarrier’s unique features is that it can scan for malicious files on an iPhone, iPad, or iPod touch in user-accessible areas of the device. To get started, just attach your iOS or iPadOS device to your Mac via a USB cable and open VirusBarrier.
If you use a Windows PC, Intego Antivirus for Windows can keep your computer protected from malware.
Indicators of compromise (IOCs)
As is typical, some of these samples initially had a very low detection rate on the multi-engine single file scanning site VirusTotal. For the two shell script variants, 0 out of 60+ antivirus engines appeared to detect them. Several other files had fewer than 10 positive detections when first uploaded to VirusTotal.
Following are SHA-256 hashes of malware samples from Homebrew-related and other Cuckoo/AMOS malware campaigns:
2d96a92180403717f2f69d23c53398b597e2db15f683c04f41e34d048b1b0b16* 42b4b1c13d6bd206e8ad1630d5d61aff6d949326ff6800593695c91e65fc861a* 513bb09807c9c343fccf7df30f687ea490125745e5ae02177c92efeb514e4b30* 554354c8a0d089b99b1a47cbf71a0bc19c5fc9e4e8b27c74367d86a7a1940004* 683c69923e13c46919a691f553b2b7473a725d836c34e2b05a84bde1f1374f1c* 95a7734d5f853146f31bb2aafe043a3639f742d97ef8ba72070273493851e5a8* a76597803298ee9475f2ebffc9352ed983d3a05081f58dcf9f52111268be9cf9* cc3ff7f75f46bab9acb37b042ea02bdc55b759ff82778f019f51801c9df1d288* 1ea41635116b43afd1e50ed9dec1534699fb1958bd777971dd0fb7bc0ed104ec* e2848c89bd8976d8a22e8d76ddd06ea7a434e0adbbd8d4d422680424005df640* 0d3a9cb3d86aa94adcee79fc5511c2d86aa3c37cb142b00761d8cf9541062ccd** 1dfc5689913347d052a24488256758ce87ba7acff412fb293993552b38640b3e** 31eeefa264147131576371d87d75d948b4b4829fef713554486ef7e39fb0e8d4** 40b2b2fc795ad7d6105b68813a6a3c246f6dd9eb8e21176e63f01ba9d4c56efb** 5bdc9a651e2e8a6958a01f7a91d5318bd253a3ca310f2136cfb0dc45bbb83c6a** 6662576e48a44418beee861499346b037c23ec0a91fb05c2d9ae3dc42650ab82** 6e083739d0a443da1467219d7ace15d9b3488aad18b9f03870158b2d1c3b841f** 77b3c5090800665c70f90a0d1ce7e0469021a0c599c32e62d1c1059bc8451b6c** aef437e9030fbb4d61894e4113dc3615400dcc0259612f4131369bc8585cde64** 41ac6a7dd1f78d946d7321a2ec8c753a3db647d95d39474f80dc316ecfb803c2** ce6dc065752cb46437ce6a200e29d5dbd96473daa72dcce07aa493b821a99ba9 f608301ebb09ecdc9840c84f758f5e60cb6f7ab4d34d2f2d468af624eb800e50 574a0a47811b06228271c48dab1e3da889c643b90515b36bcdbdc8a48385785e 2958dfe9251c6bf997ceb94f2eea1b808a8e53bd5e79b7152f79379f441ede83 1827db474aa94870aafdd63bdc25d61799c2f405ef94e88432e8e212dfa51ac7 39f1224d7d71100f86651012c87c181a545b0a1606edc49131730f8c5b56bdb7 a709dacc4d741926a7f04cad40a22adfc12dd7406f016dd668dd98725686a2dc d8c3c7eedd41b35a9a30a99727b9e0b47e652b8f601b58e2c20e2a7d30ce14a8 254663d6f4968b220795e0742284f9a846f995ba66590d97562e8f19049ffd4b * first reported by Intego **first reported by Intego; added on May 17
The following domains and IP addresses have evidently been used in connection with these Cuckoo/AMOS samples and similar recent campaigns:
homebrew[.]cx homebrew[.]page homebrewl[.]pro hornebrew[.]mom aroqui[.]com coinpepe[.]xyz dumpmedia[.]com fonedog[.]com rectanglemac[.]pro trello[.]bio tunefab[.]com tunesfun[.]com tunesolo[.]com willowsushi[.]com 5.42.100[.]86 5.255.107[.]149 77.221.151[.]41 79.137.192[.]4 85.217.222[.]185 109.120.178[.]3 146.70.80[.]123
Network administrators can check logs to try to identify whether any computers may have attempted to contact one of these domains or IPs in recent weeks, which could indicate a possible infection.
Do security vendors detect this by any other names?
Other antivirus vendors’ names for this malware may include variations of the following:
A Variant Of OSX/PSW.Agent.AN, A Variant Of OSX/PSW.Agent.BI, EmailWorm ( 0040f4c31 ), Gen:Variant.Trojan.MAC.Stealer.29 (B), HEUR:Trojan-PSW.OSX.Amos.gen, HEUR:Trojan-PSW.OSX.Amos.s, HEUR:Trojan-PSW.OSX.Amos.u, InfoStealer/OSX.Agent.160526166, InfoStealer/OSX.Agent.174240, InfoStealer/OSX.Agent.370704, IOS/Agent.AQ, IOS/Agent5.CW, MAC.S.Agent.160526166, MAC/Agent.BI!tr, MAC/Stealer.20!tr, MacOS:Agent-AJQ [Trj], MacOS:Agent-AJR [Trj], MacOS:Agent-ALY [Trj], MacOS/Agent.AQ, MacOS/Agent5.CW, Malware.OSX/AVA.Agent.gours, Malware.OSX/AVA.Agent.qtqzz, Malware.OSX/AVI.Agent.emtoe, Malware.OSX/GM.Agent.LC, Malware.OSX/GM.Agent.RX, Osx.Trojan-QQPass.QQRob.Fkjl, OSX.Trojan.Agent.K8KYBW, OSX.Trojan.Agent.V7M1LN, OSX.Trojan.Agent.Y7B81N, OSX.Trojan.Gen.2, OSX/Agent.BI!tr.pws, OSX/Generic.e, OSX/GM.Agent.LC, OSX/GM.Agent.RX, OSX/PSW.Agent.BI, OSX/PWS-CNU, OSX/PWS-CNV, PossibleThreat, RiskWare:MacOS/Agent.AT, RiskWare:MacOS/Amos.J9OKG, TROJ_FRS.0NA104E724, Trojan:MacOS/Amos.I!MTB, Trojan:MacOS/Cuckoo!MTB, Trojan:MacOS/Multiverze, Trojan.Generic.35766692 (B), Trojan.GenericKD.72696158 (B), Trojan.MAC.Generic.118846 (B), Trojan.OSX.Amos.i!c, Trojan.OSX.Cuckoo, Trojan.OSX.Generic.4!c, Trojan.OSX.Psw, Trojan.OSX.Stealer, Trojan.Trojan.MAC.Stealer.29, Trojan[PSW]/MacOS.Amos, Trojan[stealer]:MacOS/Amos.gyf, Trojan[stealer]:MacOS/Amos.J9OKG, Trojan[stealer]:MacOS/Amos.s, Trojan[stealer]:MacOS/Amos.u, UDS:Trojan-PSW.OSX.Amos.s, Unix.Malware.Macos-10028017-0, Unix.Malware.Macos-10028612-0, Unix.Malware.Macos-10028816-0, Win32.Troj.Undef.a
How can I learn more?
You can read Alden’s X social media thread and personal blog post for more about the original variant of the Homebrew-lookalike Trojan horse. For more about the first AMOS malware variant that was identified as Cuckoo, you can read the writeup by Adam Kohler and Christopher Lopez.
Be sure to also check out our 2024 Apple malware forecast and our previous Mac malware articles from 2024 and earlier.
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: