MaMi - the first Mac malware of 2018

12.01.2018

MaMi-Mac-malware

 

 

Cybersecurity experts noticed the first new Mac malware strain this year.

It is called OSX/MaMi and all evidence points that it is still a work under development, but there are some pretty dangerous features.

The first victim of the new MaMi malware seems to be a US teacher who suspected a malware infection after realizing he couldn't change the Mac's DNS servers.

MaMi comes with some pretty worrisome features

Cybersecurity specialist  Patrick Wardle tracked down the malware hosted on a website located at regardens[.]info.

The malware spreads in the form of an unsigned Mach-O 64-bit binary that currently doesn't trigger any detections on scan engines such as VirusTotal.

Analyzing the malware source code, Wardle says he found code that allows the malware to:

  • Install a local certificate
  • Set up custom DNS settings
  • Take screenshots
  • Hijack mouse clicks
  • Run AppleScripts
  • Get OS launch persistence
  • Download and upload files
  • Execute commands

The current version of this malware still does not support most of these features, but it can get boot persistence, install a local certificate, and set up custom DNS server settings.

Given the rest of the features, however, it may be a remote access trojan in the making, but currently, it can only be classified as a DNS hijacker.

MaMi can evolve in the future

"OSX/MaMi isn't particular advanced - but does alter infected systems in rather nasty and persistent ways," Wardle says. "By installing a new root certifcate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle'ing traffic (perhaps to steal credentials, or inject ads)."

Wardle, however, fears that this new malware could evolve pretty quick and might have more secrets hidden in its code.

"Perhaps in order for the [more intrusive] methods [taking screenshots, executing commands] to be executed or for the malware to be persisted, requires some attack-supplied input, or other preconditions that just weren't met in my VM. I'll keep digging!" Wardle said.

The two DNS servers the malware adds to infected hosts are:

82.163.143.135

82.163.142.137

Would you like to comment on this article?

Share

Featured

12.01.2018

New banking malware FakeBank can intercept messages to steal data and money

FakeBank malware can steal sensitive information from the device including phone numbers, balance on a linked bank card and location data.

05.01.2018

New Cryptomix ransomware variant released

Hackers have released a new version of Cryptomix that adds the .SERVER extension to encrypted files.

04.01.2018

Meltdown and Specter vulnerabilities affect Intel, ARM, AMD processors

Almost all PCs, laptops, tablets and smartphones are in danger, regardless of manufacturer or operating system.

Sign up for our online newsletter!