Cuckoo Stealer

Cuckoo Stealer can use the curl API for C2 communications.(Citation: Kandji Cuckoo April 2024)

Cuckoo Stealer can use osascript to generate a password-stealing prompt, duplicate files and folders, and set environmental variables.(Citation: Kandji Cuckoo April 2024)(Citation: SentinelOne Cuckoo Stealer May 2024)

Cuckoo Stealer can achieve persistence by creating launch agents to repeatedly execute malicious payloads.(Citation: Kandji Cuckoo April 2024)(Citation: SentinelOne Cuckoo Stealer May 2024)

Cuckoo Stealer can capture files from a targeted user's keychain directory.(Citation: Kandji Cuckoo April 2024)

Cuckoo Stealer has staged collected application data from Safari, Notes, and Keychain to `/var/folder`.(Citation: Kandji Cuckoo April 2024)

Cuckoo Stealer has copied its binary and the victim's scraped password into a hidden folder in the `/Users` directory.(Citation: Kandji Cuckoo April 2024)(Citation: SentinelOne Cuckoo Stealer May 2024)

Cuckoo Stealer has captured passwords by prompting victims with a “macOS needs to access System Settings” GUI window.(Citation: Kandji Cuckoo April 2024)

Cuckoo Stealer has copied and renamed itself to DumpMediaSpotifyMusicConverter.(Citation: Kandji Cuckoo April 2024)(Citation: SentinelOne Cuckoo Stealer May 2024)

Cuckoo Stealer is a stripped binary payload.(Citation: Kandji Cuckoo April 2024) (Citation: SentinelOne Cuckoo Stealer May 2024)

Cuckoo Stealer can use `xattr -d com.apple.quarantine` to remove the quarantine flag attribute.(Citation: Kandji Cuckoo April 2024)(Citation: SentinelOne Cuckoo Stealer May 2024)

Cuckoo Stealer can check the systems `LANG` environmental variable to prevent infecting devices from Armenia (`hy_AM`), Belarus (`be_BY`), Kazakhstan (`kk_KZ`), Russia (`ru_RU`), and Ukraine (`uk_UA`).(Citation: Kandji Cuckoo April 2024)

Cuckoo Stealer can use `launchctl` to load a LaunchAgent for persistence.(Citation: Kandji Cuckoo April 2024)