Hackers using MacOS malware are targeting cryptocurrency investors that use both the Slack and Discord chat platforms. The malware, dubbed OSX.Dummy, uses an unsophisticated infection method, but those who are successfully attacked open their systems up to remote arbitrary code execution.
“If the connection to the attacker’s C&C server succeeds, the attacker will be able to arbitrarily execute commands (as root!) on the infected system,” wrote Patrick Wardle, chief research officer at Digita Security in a blog post Friday.
The malware was first spotted and described by researcher Remco Verhoef, who posted his findings early Friday to the SANS InfoSec Handlers Diary Blog. The researcher said he observed multiple attacks last week.
“[Over the] previous days we’ve seen multiple MacOS malware attacks, originating within crypto related Slack or Discord chats groups by impersonating admins or key people. Small snippets are being shared, resulting in downloading and executing a malicious binary,” he wrote.
Users are enticed by attackers to execute a script that in turn downloads the hefty 34Mb OSX.Dummy malware via cURL. The download is saved to the macOS/tmp/script directory and then executed. “The file is a large mach064 binary (34M), rating a perfect score of 0/60 on VirusTotal,” Verhoef wrote.
The binary is unsigned, Wardle notes, adding that malware is able to sidestep the macOS Gatekeeper security software, designed to prevent unsigned software from being downloaded and executed.
“Normally such a binary would be blocked by Gatekeeper. However if users are downloading and running a binary directly via terminal commands, Gatekeeper does not come into play and thus unsigned binary will be allowed to execute,” Wartle wrote. “I guess the take away here is (yet again) the built-in macOS malware mitigations should never be viewed as a panacea.”
As the malware binary is executed, a macOS sudo command (via Terminal) changes the malware’s permissions to root. “[T]his will require the user to enter their password in the terminal,” Wardle explains. According to Apple, “to execute a sudo command in Terminal on your Mac, you must be logged in with an administrator account that has a password.”
From there, the malware drops code in various macOS directories including “/Library/LaunchDaemons/com.startup.plist”, which gives the OSX.Dummy persistence.
“The bash script (which runs a python command) tries to connect to 185[.]243[.]115[.]230 at port 1337 within a loop and the python code creates a reverse shell. To ensure execution during startup it creates a launch daemon. At the moment I was testing this, the reverse shell failed to connect,” Verhoef wrote.
Wardle notes that if the attack is successful, and malware is able to connect to the adversary’s C2 server, the attacker can take control of the targeted system.
Wardle, not Verhoef, dubbed the malware OSX.Dummy because one of the directories used to dump the victim’s password is called “/tmp/dumpdummy”. He also shared other reasons:
“I’m calling it OSX.Dummy as: the infection method is dumb, the massive size of the binary is dumb, the persistence mechanism is lame (and thus also dumb), the capabilities are rather limited (and thus rather dumb), it’s trivial to detect at every step (that dumb) …and finally, the malware saves the user’s password to dumpdummy,” Wardle said.