- Jul 22, 2014
- 2,525
We are barely two weeks into 2017, and security researchers have already spotted the first new Mac malware strain this year.
Called OSX/MaMi, all evidence points that this is still a work in progress, but one that comes with some pretty intrusive features, if ever completed and activated.
The malware's first victim appears to be a teacher in the US, who suspected a malware infection after realizing he/she couldn't change their Mac's DNS servers.
MaMi comes with some pretty worrisome features
Following some clever sleuthing, Mac security expert Patrick Wardle tracked down the malware hosted on a website located at regardens[.]info.
The malware is distributed in the form of an unsigned Mach-O 64-bit binary that currently doesn't trigger any detections on aggregated scan engines such as VirusTotal.
Analyzing the malware source code, Wardle says he found code that hinted the malware could:
⯮ Install a local certificate
⯮ Set up custom DNS settings
⯮ Take screenshots
⯮ Hijack mouse clicks
⯮ Run AppleScripts
⯮ Get OS launch persistence
⯮ Download and upload files
⯮ Execute commands
The current version of this malware does not support most of these features, but can only get boot persistence, install a local certificate, and set up custom DNS server settings.
Taking into account the rest of the features, this could very well be a remote access trojan in the making, but currently, it can only be classified as a mere DNS hijacker.
MaMi can evolve in the future
...
Called OSX/MaMi, all evidence points that this is still a work in progress, but one that comes with some pretty intrusive features, if ever completed and activated.
The malware's first victim appears to be a teacher in the US, who suspected a malware infection after realizing he/she couldn't change their Mac's DNS servers.
MaMi comes with some pretty worrisome features
Following some clever sleuthing, Mac security expert Patrick Wardle tracked down the malware hosted on a website located at regardens[.]info.
The malware is distributed in the form of an unsigned Mach-O 64-bit binary that currently doesn't trigger any detections on aggregated scan engines such as VirusTotal.
Analyzing the malware source code, Wardle says he found code that hinted the malware could:
⯮ Install a local certificate
⯮ Set up custom DNS settings
⯮ Take screenshots
⯮ Hijack mouse clicks
⯮ Run AppleScripts
⯮ Get OS launch persistence
⯮ Download and upload files
⯮ Execute commands
The current version of this malware does not support most of these features, but can only get boot persistence, install a local certificate, and set up custom DNS server settings.
Taking into account the rest of the features, this could very well be a remote access trojan in the making, but currently, it can only be classified as a mere DNS hijacker.
MaMi can evolve in the future
...
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
