We are barely two weeks into 2018, and security researchers have already spotted the first new Mac malware strain this year.
Called OSX/MaMi, all evidence points that this is still a work in progress, but one that comes with some pretty intrusive features, if ever completed and activated.
The malware's first victim appears to be a teacher in the US, who suspected a malware infection after realizing he/she couldn't change their Mac's DNS servers.
MaMi comes with some pretty worrisome features
Following some clever sleuthing, Mac security expert Patrick Wardle tracked down the malware hosted on a website located at regardens[.]info.
The malware is distributed in the form of an unsigned Mach-O 64-bit binary that currently doesn't trigger any detections on aggregated scan engines such as VirusTotal.
Analyzing the malware source code, Wardle says he found code that hinted the malware could:
⯮ Set up custom DNS settings
⯮ Take screenshots
⯮ Hijack mouse clicks
⯮ Run AppleScripts
⯮ Get OS launch persistence
⯮ Download and upload files
⯮ Execute commands
The current version of this malware does not support most of these features, but can only get boot persistence, install a local certificate, and set up custom DNS server settings.
Taking into account the rest of the features, this could very well be a remote access trojan in the making, but currently, it can only be classified as a mere DNS hijacker.
MaMi can evolve in the future
"OSX/MaMi isn't particular advanced - but does alter infected systems in rather nasty and persistent ways," Wardle says. "By installing a new root certifcate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle'ing traffic (perhaps to steal credentials, or inject ads)."
But Wardle fears the malware could evolve pretty quick and might have more secrets hidden in its code.
"Perhaps in order for the [more intrusive] methods [taking screenshots, executing commands] to be executed or for the malware to be persisted, requires some attack-supplied input, or other preconditions that just weren't met in my VM. I'll keep digging!," Wardle said.
The two DNS servers the malware adds to infected hosts are:
82.163.143.135
82.163.142.137
Comments
JesseBropez - 6 years ago
These DNS addresses have also been used on infected Windows hosts by an adware variant known as DNS Unlocker for years.