Cybersecurity experts noticed the first new Mac malware strain this year.
It is called OSX/MaMi and all evidence points that it is still a work under development, but there are some pretty dangerous features.
The first victim of the new MaMi malware seems to be a US teacher who suspected a malware infection after realizing he couldn't change the Mac's DNS servers.
MaMi comes with some pretty worrisome features
Cybersecurity specialist Patrick Wardle tracked down the malware hosted on a website located at regardens[.]info.
The malware spreads in the form of an unsigned Mach-O 64-bit binary that currently doesn't trigger any detections on scan engines such as VirusTotal.
Analyzing the malware source code, Wardle says he found code that allows the malware to:
- Install a local certificate
- Set up custom DNS settings
- Take screenshots
- Hijack mouse clicks
- Run AppleScripts
- Get OS launch persistence
- Download and upload files
- Execute commands
The current version of this malware still does not support most of these features, but it can get boot persistence, install a local certificate, and set up custom DNS server settings.
Given the rest of the features, however, it may be a remote access trojan in the making, but currently, it can only be classified as a DNS hijacker.
MaMi can evolve in the future
"OSX/MaMi isn't particular advanced - but does alter infected systems in rather nasty and persistent ways," Wardle says. "By installing a new root certifcate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle'ing traffic (perhaps to steal credentials, or inject ads)."
Wardle, however, fears that this new malware could evolve pretty quick and might have more secrets hidden in its code.
"Perhaps in order for the [more intrusive] methods [taking screenshots, executing commands] to be executed or for the malware to be persisted, requires some attack-supplied input, or other preconditions that just weren't met in my VM. I'll keep digging!" Wardle said.
The two DNS servers the malware adds to infected hosts are: