A new piece of malware targeting Mac owners has been revealed by security researcher Remco Verhoef. It is targeted at people talking about crypto currencies on the Slack and Discord chat platforms. In his blog Verhoef wrote: ” Previous days we’ve seen multiple MacOS malware attacks, originating within crypto related Slack or Discord chats groups by impersonating admins or key people. Small snippets are being shared, resulting in downloading and executing a malicious binary.”
Once installed, the code attempts to connect to a command and control (C&C) server owned by the attackers. If the connection to the C&C server succeeds, the attackers can then remotely access the Mac and execute code on it. The malware also steals the user password and stores it in a directory on the local machine.
Verhoef notes that: “CrownCloud, a german based provider is the owner of the block of 185.243.115.230 and the server appears to be located in the Netherlands.”
An unsophisticated piece of malware
The malicious code has been called OSX.Dummy by another researcher, Patrick Wardle. Wardle is the Chief Research Officer and founder of Digita Security. He has carried out his own analysis of the malware and published a blog on what he found. Wardle has named the malware OSX.Dummy because:
- the infection method is dumb – users have to self-infect by typing the string into the Terminal window
- the massive size of the binary is dumb – it is 34MB
- the persistence mechanism is lame (and thus also dumb) – it places code into the Launch Daemons directory
- the capabilities are rather limited (and thus rather dumb) – stealing the users password and allowing the attacker to take remote control. The malware failed to connect when Wardle was testing it
- it’s trivial to detect at every step (that dumb) – Wardle points to the tools he has written and point out that by typing the code into a Terminal window it bypasses Apple’s GateKeeper. Wardle wrote: “…I guess the take away here is (yet again) the built in macOS malware mitigations should never be viewed as a panacea.”
- …and finally, the malware saves the user’s password to dumpdummy
What does this mean?
This attack is targeting a very small number of users in specific chat groups. Both of the researchers who have analysed it agree that it is an unsophisticated attack. However, the fact that it is managing to succeed at all shows how easy it is to persuade users to bypass the built-in security on a device.
There is still a perception that MacOS is far more secure than Windows. To some degree there is some truth in that. There are fewer attacks at the moment but year on year the number are growing. This attack exploits user stupidity to overcome the Mac GateKeeper programme.
OSX.Dummy runs with root privileges and allows the attackers to download more code. This means that enterprise security teams should make sure that Mac users are not infected. Attackers could install a keylogger and steal enterprise credentials for resale on the Dark Web. Wardle has posted a python script that can be used to detect an infected machine.
Details of this attack were only posted on Friday 29th June by Verhoef. Wardle admits that he has had limited time to investigate the code closely. This means that there is always the possibility that this attack has some hidden layers. For now, its impact is limited.