The First Mac Malware of 2018 Is a DNS Hijacker Called MaMi

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
We are barely two weeks into 2017, and security researchers have already spotted the first new Mac malware strain this year.

Called OSX/MaMi, all evidence points that this is still a work in progress, but one that comes with some pretty intrusive features, if ever completed and activated.

The malware's first victim appears to be a teacher in the US, who suspected a malware infection after realizing he/she couldn't change their Mac's DNS servers.

MaMi comes with some pretty worrisome features
Following some clever sleuthing, Mac security expert Patrick Wardle tracked down the malware hosted on a website located at regardens[.]info.

The malware is distributed in the form of an unsigned Mach-O 64-bit binary that currently doesn't trigger any detections on aggregated scan engines such as VirusTotal.

Analyzing the malware source code, Wardle says he found code that hinted the malware could:

⯮ Install a local certificate
⯮ Set up custom DNS settings
⯮ Take screenshots
⯮ Hijack mouse clicks
⯮ Run AppleScripts
⯮ Get OS launch persistence
⯮ Download and upload files
⯮ Execute commands
The current version of this malware does not support most of these features, but can only get boot persistence, install a local certificate, and set up custom DNS server settings.

Taking into account the rest of the features, this could very well be a remote access trojan in the making, but currently, it can only be classified as a mere DNS hijacker.

MaMi can evolve in the future
...
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Read Full Analysis: Ay MaMi

[...]
OSX/MaMi isn't particular advanced - but does alter infected systems in rather nasty and persistent ways. By installing a new root certifcate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle'ing traffic (perhaps to steal credentials, or inject ads).

Let's end with some Q&A:
  1. How do I get infected?
    • At this time, this is unknown. However, it's likely the attacker are using (rather lame) methods such as malicious email, web-based fake security alerts/popups, or social-engineering type attacks to target mac users
  2. How do I know if I'm infected?
    • Check your DNS settings, looking to see if they've been set to 82.163.143.135 and 82.163.142.137. You can check via the terminal (e.g. networksetup -getdnsservers Wi-Fi), or via the System Preferences app (Network pane)
  3. Will my AV product protect me?
    • Eventually. But for now, it does not appear that any will. I'd recommend a 3rd-party tool such as firewall that can detect & block outgoing traffic.
Also from Blog post:
I'm currently working on a free open-source firewall named 'LuLu' that will detect OSX/MaMi's network traffic.
LuLu is the free open-source macOS firewall that aims to block unknown outgoing connections, unless explicitly approved by the user.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top