OSX/Mami

We are barely two weeks into 2018, and security researchers have already spotted the first new Mac malware strain this year.

Called OSX/MaMi, all evidence points that this is still a work in progress, but one that comes with some pretty intrusive features, if ever completed and activated.

The malware's first victim appears to be a teacher in the US, who suspected a malware infection after realizing he/she couldn't change their Mac's DNS servers.

MaMi comes with some pretty worrisome features

Following some clever sleuthing, Mac security expert Patrick Wardle tracked down the malware hosted on a website located at regardens[.]info.

The malware is distributed in the form of an unsigned Mach-O 64-bit binary that currently doesn't trigger any detections on aggregated scan engines such as VirusTotal.

Analyzing the malware source code, Wardle says he found code that hinted the malware could:

⯮ Install a local certificate
⯮ Set up custom DNS settings
⯮ Take screenshots
⯮ Hijack mouse clicks
⯮ Run AppleScripts
⯮ Get OS launch persistence
⯮ Download and upload files
⯮ Execute commands

The current version of this malware does not support most of these features, but can only get boot persistence, install a local certificate, and set up custom DNS server settings.

Taking into account the rest of the features, this could very well be a remote access trojan in the making, but currently, it can only be classified as a mere DNS hijacker.

MaMi can evolve in the future

"OSX/MaMi isn't particular advanced - but does alter infected systems in rather nasty and persistent ways," Wardle says. "By installing a new root certifcate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle'ing traffic (perhaps to steal credentials, or inject ads)."

But Wardle fears the malware could evolve pretty quick and might have more secrets hidden in its code.

"Perhaps in order for the [more intrusive] methods [taking screenshots, executing commands] to be executed or for the malware to be persisted, requires some attack-supplied input, or other preconditions that just weren't met in my VM. I'll keep digging!," Wardle said.

The two DNS servers the malware adds to infected hosts are:

82.163.143.135
82.163.142.137

Related Articles:

OSX.Dummy Mac Malware Targets Cryptocurrency Users on Slack and Discord Channels

Hackers Exploiting DLink Routers to Redirect Users to Fake Brazilian Banks

U.S. Payment Processing Services Targeted by BGP Hijacking Attacks

Funny Google Chromebook Ad Mocks Windows and macOS Operating Systems

Researchers Discover Calisto, a Precursor to Dangerous Proton macOS Malware