![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/05\/OSX-Cuckoo-Mac-macOS-malware-logo-v3-600x350-1.jpg\"){kind=logo}
<\/p>\n<\/p>\n
In recent months, we’ve written a lot about stealer malware that infects Macs<\/a>. One malware family that frequently resurfaces is Atomic Stealer<\/strong>, or AMOS<\/strong> (short for Atomic macOS Stealer). AMOS is designed to exfiltrate sensitive data from infected Macs; this typically includes things like saved passwords, cookies, autofill text, and cryptocurrency wallets. Recent headlines have used the malware or campaign name “Cuckoo<\/strong>”\u00a0to describe some variants of the AMOS family.<\/p>\n Cuckoo malware, like other AMOS variants, is distributed in the form of Trojan horses, often masquerading as supposedly pirated or “cracked” versions of apps. In recent months, numerous Trojan horses have pretend to be various legitimate apps; they employ elaborate campaigns, leveraging malicious Google Ads that link to lookalike homepages with Trojan downloads.<\/p>\n Yesterday, Intego began tracking new Cuckoo variants that have not been written about elsewhere.<\/strong> Here’s everything you need to know about Cuckoo, and how to stay protected.<\/p>\n In this article:<\/em><\/p>\n Atomic macOS Stealer (AMOS, or AtomicStealer) first surfaced<\/a> in late April 2023, just over a year ago. At the time, a threat actor began selling it via Telegram as malware as a service<\/strong>, licensable for $1,000 per month.<\/p>\n Since then, we’ve seen lots of AMOS variants emerge. We wrote about later campaigns in September 2023<\/a> and February 2024<\/a>, and we often discuss it on the Intego Mac Podcast<\/a>.<\/p>\n Earlier this month, we wrote about a previously undocumented AMOS variant<\/strong><\/a> that Intego’s research team discovered<\/strong>.<\/p>\n Most often, AMOS malware is distributed through malicious Google Ads campaigns. These poisoned Google ads appear at the top of search results, where many people will see and click on them. In some cases, the ads are virtually indistinguishable from legitimate Google Ads run by the real software companies they mimic.<\/p>\n Beginning a few weeks ago, in late April, a few antivirus vendors began calling some AMOS variants by the name Cuckoo.<\/p>\n Just yesterday, on the morning of Wednesday, May 15, a researcher named Alden wrote on social media<\/a> about a blog post<\/a> he had just published. Alden described this new campaign as distributing “Cuckoo and AtomicStealer.”<\/p>\n In his blog post, Alden wrote that someone had submitted a file to VirusTotal<\/a> that contacted a suspicious domain that mimics the homepage of Homebrew<\/a>, a popular macOS software package manager. The page tries to trick users into copying and pasting a command from the site into their Mac’s Terminal app.<\/p>\n While that might sound ridiculously suspicious and dangerous\u2014and it normally would be\u2014the legitimate Homebrew software is actually installed in this exact way. The lookalike page was so convincing that Alden himself, a professional malware researcher, said he would have fallen for it.<\/strong><\/p>\n A fake Homebrew site, part of an AMOS\/Cuckoo Mac malware campaign.<\/p><\/div>\n Compare for yourself. Would you have guessed correctly which is real, and which is fake?<\/p>\n The real Homebrew site. Ironically, it has a longer, more suspicious-looking install URL.<\/p><\/div>\n Interestingly, this is not the first time that malware makers have mimicked Homebrew. In 2020, threat actors used another domain<\/a> that was similar to that of the real Homebrew site, as part of a typosquatting<\/a> campaign. Additionally, back in 2017, Mac malware known as Dok<\/a> used “homebrew” in the filename of one of its LaunchAgents.<\/a><\/p>\n While conducting our own research based on Alden’s findings, Intego discovered that the shell script dropper and the initial Mach-O binary had both changed already<\/strong> from what were originally hosted on the lookalike site, merely hours after Alden’s social media post went live.<\/p>\n The new version of the bash script (the But where things get interesting is the Mach-O binary (the Of course, it still has the usual infostealer functionality: gathering wallets, passwords, and other sensitive data, and exfiltrating them to the malware maker. But what’s new in the updated sample we discovered is that it adds additional functionality to behave differently if it’s run within a virtual machine<\/strong>. In particular, it checks whether it’s running within a VirtualBox, VMware, or Parallels virtual environment. Most of the time, when an app contains VM detection, it’s to make the app more difficult for reverse engineers or malware analysts to investigate.<\/p>\n One can imagine that perhaps the malware maker might have seen Alden’s blog post, and added the anti-VM capability to make it a little more difficult for malware analysts to pick apart.<\/p>\n This new Cuckoo Mach-O variant that checks whether it’s running within a VM has the SHA-256 hash Intego also found several additional new Cuckoo samples<\/strong> through our own threat hunting efforts; see the full list of new hashes in the IOCs section<\/a> below.<\/a><\/p>\n Although we haven’t yet definitively confirmed this, it’s likely that the team behind this campaign is up to its usual tricks, including Google Ads poisoning<\/a>. Threat actors often pay Google for top placement, with sponsored ads disguised as real ads for legitimate software. These ads appear immediately above the actual search results; if you aren’t careful, you could inadvertently visit a malware distribution site instead of landing on the real software developer’s site.<\/p>\n We recommend that everyone get out of the habit of “just Google it” to find legitimate sites.<\/strong> Such habits often include clicking on the first link without giving it much thought, under the assumption that Google won’t lead them astray, and will give them the correct result right at the top. Malware makers know this, of course, and that’s why they’re paying Google for the number-one position.<\/p>\n Until or unless Google does a much better job of vetting its ads, a better practice than “Google it” would be to bookmark trusted sites whenever possible<\/strong>, and to go back to those bookmarks in the future.<\/a><\/p>\n If you use Intego VirusBarrier, you’re already protected from this malware. Intego detects these samples as OSX\/Amos.ext<\/strong>, OSX\/Amos.gen<\/strong>,\u00a0OSX\/PSW.ext<\/strong>, virus\/OSX\/AVA.Agent.qtqz<\/strong>, virus\/OSX\/AVI.Agent.emto<\/strong>, and similar names.<\/p>\n If you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection<\/a>. It runs natively on both Intel- and Apple silicon-based Macs, and it’s compatible with Apple’s current Mac operating system, macOS Sonoma.<\/p>\n One of VirusBarrier’s unique features is that it can scan for malicious files on an iPhone, iPad, or iPod touch<\/a> in user-accessible areas of the device. To get started, just attach your iOS or iPadOS device to your Mac via a USB cable and open VirusBarrier.<\/p>\n If you use a Windows PC, Intego Antivirus for Windows<\/strong><\/a> can keep your computer protected from malware.<\/a><\/p>\n As is typical, some of these samples initially had a very low detection rate on the multi-engine single file scanning site VirusTotal. For the two shell script variants, 0 out of 60+ antivirus engines appeared to detect them. Several other files had fewer than 10 positive detections when first uploaded to VirusTotal.<\/p>\n Following are SHA-256 hashes of malware samples from Homebrew-related and other Cuckoo\/AMOS malware campaigns:<\/p>\n The following domains and IP addresses have evidently been used in connection with these Cuckoo\/AMOS samples and similar recent campaigns:<\/p>\n Network administrators can check logs to try to identify whether any computers may have attempted to contact one of these domains or IPs in recent weeks, which could indicate a possible infection.<\/a><\/p>\n Other antivirus vendors’ names for this malware may include variations of the following:<\/p>\n A Variant Of OSX\/PSW.Agent.AN, A Variant Of OSX\/PSW.Agent.BI, EmailWorm ( 0040f4c31 ), Gen:Variant.Trojan.MAC.Stealer.29 (B), HEUR:Trojan-PSW.OSX.Amos.gen, HEUR:Trojan-PSW.OSX.Amos.s, HEUR:Trojan-PSW.OSX.Amos.u, InfoStealer\/OSX.Agent.160526166, InfoStealer\/OSX.Agent.174240, InfoStealer\/OSX.Agent.370704, IOS\/Agent.AQ, IOS\/Agent5.CW, MAC.S.Agent.160526166, MAC\/Agent.BI!tr, MAC\/Stealer.20!tr, MacOS:Agent-AJQ [Trj], MacOS:Agent-AJR [Trj], MacOS:Agent-ALY [Trj], MacOS\/Agent.AQ, MacOS\/Agent5.CW, Malware.OSX\/AVA.Agent.gours, Malware.OSX\/AVA.Agent.qtqzz, Malware.OSX\/AVI.Agent.emtoe, Malware.OSX\/GM.Agent.LC, Malware.OSX\/GM.Agent.RX, Osx.Trojan-QQPass.QQRob.Fkjl, OSX.Trojan.Agent.K8KYBW, OSX.Trojan.Agent.V7M1LN, OSX.Trojan.Agent.Y7B81N, OSX.Trojan.Gen.2, OSX\/Agent.BI!tr.pws, OSX\/Generic.e, OSX\/GM.Agent.LC, OSX\/GM.Agent.RX, OSX\/PSW.Agent.BI, OSX\/PWS-CNU, OSX\/PWS-CNV, PossibleThreat, RiskWare:MacOS\/Agent.AT, RiskWare:MacOS\/Amos.J9OKG, TROJ_FRS.0NA104E724, Trojan:MacOS\/Amos.I!MTB, Trojan:MacOS\/Cuckoo!MTB, Trojan:MacOS\/Multiverze, Trojan.Generic.35766692 (B), Trojan.GenericKD.72696158 (B), Trojan.MAC.Generic.118846 (B), Trojan.OSX.Amos.i!c, Trojan.OSX.Cuckoo, Trojan.OSX.Generic.4!c, Trojan.OSX.Psw, Trojan.OSX.Stealer, Trojan.Trojan.MAC.Stealer.29, Trojan[PSW]\/MacOS.Amos, Trojan[stealer]:MacOS\/Amos.gyf, Trojan[stealer]:MacOS\/Amos.J9OKG, Trojan[stealer]:MacOS\/Amos.s, Trojan[stealer]:MacOS\/Amos.u, UDS:Trojan-PSW.OSX.Amos.s, Unix.Malware.Macos-10028017-0, Unix.Malware.Macos-10028612-0, Unix.Malware.Macos-10028816-0, Win32.Troj.Undef.a<\/span><\/a><\/p>\n You can read Alden’s X social media thread<\/a> and personal blog post<\/a> for more about the original variant of the Homebrew-lookalike Trojan horse. For more about the first AMOS malware variant that was identified as Cuckoo, you can read the writeup<\/a> by Adam Kohler and Christopher Lopez.<\/p>\n Be sure to also check out our 2024 Apple malware forecast<\/a> and our previous Mac malware articles<\/a> from 2024 and earlier.<\/p>\n You can also subscribe to our e-mail newsletter<\/strong><\/a> and keep an eye here on The Mac Security Blog<\/strong><\/a> for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Mac malware known as Cuckoo has begun to disguise itself as Homebrew, a command-line installed Mac utility. Intego has discovered several new variants of the malware, which is also known as Atomic Stealer or AMOS.<\/p>\n","protected":false},"author":14,"featured_media":100608,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[190],"tags":[4737,4738,4615,86,4722],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\n\n\n\t\n\t\n\t\n\n
A brief history of Cuckoo Mac malware<\/h3>\n
A new Cuckoo variant emerges<\/strong><\/h4>\n
![\"A](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/05\/Homebrew-homepage-fake-AMOS-Cuckoo-malware-campaign.jpg\")
![\"The](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/05\/Homebrew-homepage-real.jpg\")
Intego discovers new Cuckoo variants<\/h3>\n
install.sh<\/code> file) only had a minor, insignificant change, possibly to evade rudimentary antivirus protection based on whole-file hashes. The SHA-256 hash for the new variant is 1ea41635116b43afd1e50ed9dec1534699fb1958bd777971dd0fb7bc0ed104ec<\/code>.<\/p>\nbrewinstaller<\/code> file) distributed through the site.<\/p>\n513bb09807c9c343fccf7df30f687ea490125745e5ae02177c92efeb514e4b30<\/code>.<\/p>\nSource of these new Cuckoo infections<\/h3>\n
How can I keep my Mac safe from Cuckoo and other malware?<\/h3>\n
![\"Intego](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/06\/X9-Mac-Antivirus-Launch-300x150.png\")
Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9<\/a><\/strong>, is a powerful solution designed to protect against, detect, and eliminate Mac malware.<\/p>\nIndicators of compromise (IOCs)<\/h3>\n
2d96a92180403717f2f69d23c53398b597e2db15f683c04f41e34d048b1b0b16*\r\n42b4b1c13d6bd206e8ad1630d5d61aff6d949326ff6800593695c91e65fc861a*\r\n513bb09807c9c343fccf7df30f687ea490125745e5ae02177c92efeb514e4b30*\r\n554354c8a0d089b99b1a47cbf71a0bc19c5fc9e4e8b27c74367d86a7a1940004*\r\n683c69923e13c46919a691f553b2b7473a725d836c34e2b05a84bde1f1374f1c*\r\n95a7734d5f853146f31bb2aafe043a3639f742d97ef8ba72070273493851e5a8*\r\na76597803298ee9475f2ebffc9352ed983d3a05081f58dcf9f52111268be9cf9*\r\ncc3ff7f75f46bab9acb37b042ea02bdc55b759ff82778f019f51801c9df1d288*\r\n1ea41635116b43afd1e50ed9dec1534699fb1958bd777971dd0fb7bc0ed104ec*\r\ne2848c89bd8976d8a22e8d76ddd06ea7a434e0adbbd8d4d422680424005df640*\r\n0d3a9cb3d86aa94adcee79fc5511c2d86aa3c37cb142b00761d8cf9541062ccd**\r\n1dfc5689913347d052a24488256758ce87ba7acff412fb293993552b38640b3e**\r\n31eeefa264147131576371d87d75d948b4b4829fef713554486ef7e39fb0e8d4**\r\n40b2b2fc795ad7d6105b68813a6a3c246f6dd9eb8e21176e63f01ba9d4c56efb**\r\n5bdc9a651e2e8a6958a01f7a91d5318bd253a3ca310f2136cfb0dc45bbb83c6a**\r\n6662576e48a44418beee861499346b037c23ec0a91fb05c2d9ae3dc42650ab82**\r\n6e083739d0a443da1467219d7ace15d9b3488aad18b9f03870158b2d1c3b841f**\r\n77b3c5090800665c70f90a0d1ce7e0469021a0c599c32e62d1c1059bc8451b6c**\r\naef437e9030fbb4d61894e4113dc3615400dcc0259612f4131369bc8585cde64**\r\n41ac6a7dd1f78d946d7321a2ec8c753a3db647d95d39474f80dc316ecfb803c2**\r\nce6dc065752cb46437ce6a200e29d5dbd96473daa72dcce07aa493b821a99ba9\r\nf608301ebb09ecdc9840c84f758f5e60cb6f7ab4d34d2f2d468af624eb800e50\r\n574a0a47811b06228271c48dab1e3da889c643b90515b36bcdbdc8a48385785e\r\n2958dfe9251c6bf997ceb94f2eea1b808a8e53bd5e79b7152f79379f441ede83\r\n1827db474aa94870aafdd63bdc25d61799c2f405ef94e88432e8e212dfa51ac7\r\n39f1224d7d71100f86651012c87c181a545b0a1606edc49131730f8c5b56bdb7\r\na709dacc4d741926a7f04cad40a22adfc12dd7406f016dd668dd98725686a2dc\r\nd8c3c7eedd41b35a9a30a99727b9e0b47e652b8f601b58e2c20e2a7d30ce14a8\r\n254663d6f4968b220795e0742284f9a846f995ba66590d97562e8f19049ffd4b\r\n* first reported by Intego\r\n**first reported by Intego; added on May 17<\/pre>\n
homebrew[.]cx\r\nhomebrew[.]page\r\nhomebrewl[.]pro\r\nhornebrew[.]mom\r\naroqui[.]com\r\ncoinpepe[.]xyz\r\ndumpmedia[.]com\r\nfonedog[.]com\r\nrectanglemac[.]pro\r\ntrello[.]bio\r\ntunefab[.]com\r\ntunesfun[.]com\r\ntunesolo[.]com\r\nwillowsushi[.]com\r\n5.42.100[.]86\r\n5.255.107[.]149\r\n77.221.151[.]41\r\n79.137.192[.]4\r\n85.217.222[.]185\r\n109.120.178[.]3\r\n146.70.80[.]123<\/pre>\n
Do security vendors detect this by any other names?<\/h3>\n
How can I learn more?<\/h3>\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/04\/intego-podcast-artwork-400.jpg\")
<\/a>Each week on the Intego Mac Podcast<\/strong><\/a>, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast<\/strong><\/a> to make sure you don\u2019t miss any episodes.<\/p>\n![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/03\/X-Twitter-logo-icon-225.gif\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/03\/Facebook-logo-icon-225.gif\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/03\/YouTube-logo-icon-225.png\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/03\/Pinterest-logo-icon-225.png\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/03\/LinkedIn-logo-icon-225.gif\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2024\/03\/Instagram-logo-icon-225.gif\" "\\"Follow"){kind=icon}
<\/a>\u00a0![\"Follow](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile.png\" "\\"Follow")
<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"