Cuckoo Stealer
Cuckoo Stealer is a macOS malware with characteristics of spyware and an infostealer that has been in use since at least 2024. Cuckoo Stealer is a universal Mach-O binary that can run on Intel or ARM-based Macs and has been spread through trojanized versions of various potentially unwanted programs or PUP's such as converters, cleaners, and uninstallers.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1647 | Plist文件修改 |
Cuckoo Stealer can create and populate property list (plist) files to enable execution.[1][2] |
|
| Enterprise | T1555 | .001 | 从密码存储中获取凭证: Keychain |
Cuckoo Stealer can capture files from a targeted user's keychain directory.[1] |
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
Cuckoo Stealer has copied and renamed itself to DumpMediaSpotifyMusicConverter.[1][2] |
| Enterprise | T1543 | .001 | 创建或修改系统进程: Launch Agent |
Cuckoo Stealer can achieve persistence by creating launch agents to repeatedly execute malicious payloads.[1][2] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Cuckoo Stealer strings are deobfuscated prior to execution.[1][2] |
|
| Enterprise | T1059 | .002 | 命令与脚本解释器: AppleScript |
Cuckoo Stealer can use osascript to generate a password-stealing prompt, duplicate files and folders, and set environmental variables.[1][2] |
| .004 | 命令与脚本解释器: Unix Shell |
Cuckoo Stealer can spawn a bash shell to enable execution on compromised hosts.[1] |
||
| Enterprise | T1113 | 屏幕捕获 |
Cuckoo Stealer can run |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
Cuckoo Stealer can use the curl API for C2 communications.[1] |
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
Cuckoo Stealer has staged collected application data from Safari, Notes, and Keychain to |
| Enterprise | T1083 | 文件和目录发现 |
Cuckoo Stealer can search for files associated with specific applications.[1][2] |
|
| Enterprise | T1217 | 浏览器信息发现 |
Cuckoo Stealer can collect bookmarks, cookies, and history from Safari.[1] |
|
| Enterprise | T1027 | .008 | 混淆文件或信息: Stripped Payloads |
Cuckoo Stealer is a stripped binary payload.[1][2] |
| .013 | 混淆文件或信息: Encrypted/Encoded File |
Cuckoo Stealer strings are XOR-encrypted.[1][2] |
||
| Enterprise | T1614 | 系统位置发现 |
Cuckoo Stealer can determine the geographical location of a victim host by checking the language.[1] |
|
| .001 | System Language Discovery |
Cuckoo Stealer can check the systems |
||
| Enterprise | T1082 | 系统信息发现 |
Cuckoo Stealer can gather information about the OS version and hardware on compromised hosts.[1][2] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
Cuckoo Stealer can discover and send the username from a compromised host to C2.[1] |
|
| Enterprise | T1569 | .001 | 系统服务: Launchctl |
Cuckoo Stealer can use |
| Enterprise | T1518 | 软件发现 |
Cuckoo Stealer has the ability to search systems for installed applications.[1] |
|
| Enterprise | T1056 | .002 | 输入捕获: GUI Input Capture |
Cuckoo Stealer has captured passwords by prompting victims with a "macOS needs to access System Settings" GUI window.[1] |
| Enterprise | T1057 | 进程发现 |
Cuckoo Stealer can use |
|
| Enterprise | T1041 | 通过C2信道渗出 |
Cuckoo Stealer can send information about the targeted system to C2 including captured passwords, OS build, hostname, and username.[1] |
|
| Enterprise | T1564 | .001 | 隐藏伪装: Hidden Files and Directories |
Cuckoo Stealer has copied its binary and the victim's scraped password into a hidden folder in the |
| Enterprise | T1095 | 非应用层协议 |
Cuckoo Stealer can use sockets for communications to its C2 server.[1] |
|
| Enterprise | T1553 | .001 | 颠覆信任控制: Gatekeeper Bypass |
Cuckoo Stealer can use |