A researcher has discovered a strain of malware in the wild which targets Mac OS X users.
The malware, dubbed MaMi, was first spotted by security researcher Patrick Wardle.
The researcher spotted a forum post on Malwarebytes in which a user said a colleague “accidentally installed something” and this led to DNS hijacking.
Despite the user removing the DNS entries, the address changes, 18.104.22.168 and 22.214.171.124, remained persistent.
The only indicator spotted by Malwarebytes software at the time was reported as “MyCoupon” software, which is often labeled as nuisanceware. However, the hijack of DNS entries suggested that something more sinister was happening.
MaMi is not sophisticated. The unsigned Mach-O 64-bit executable has been marked as app version 1.1.0, which suggests the malware is fresh from development.
However, the creator of MaMi has included functionality including DNS hijacking, screenshot capture, generation of simulated mouse events, the download and upload of files, the execution of arbitrary code, and may also persist as a launch item.
In a blog post, Wardle said that while infection methods remain a mystery, the malware is hosted on a number of domains.
The researcher found it to be a “trivial” affair to decrypt the malware’s configuration data and discovered MaMi also installs a certificate through the Keychain Access app, which would allow for Man-in-The-Middle attacks (MiTM).
After consulting another researcher, an article titled, “The mystery of 126.96.36.199 and 188.8.131.52, related to the hijacked DNS addresses, came to light.
This research has created the theory that MaMi malware is a rehash of the 2015 Windows-based DNSUnlocker malware which has been known in the past to hijack DNS addresses on the Windows operating system.
“OSX/MaMi isn’t particularly advanced — but does alter infected systems in rather nasty and persistent ways,” the researcher noted. “By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle’ing traffic (perhaps to steal credentials, or inject ads).”
At the time of the blog post, all 59 engines on VirusTotal marked the file as “clean.” However, antivirus products have now begun to detect and block the malware, and 26 out of 59 engines will block MaMi malware from infiltrating OS X systems.