Hackers are targeting users who discuss cryptocurrencies on Discord and Slack
Security researchers have recently discovered a new string of Mac OS malware attacks. The malicious code is relatively unsophisticated, as virus authors use primitive infection techniques. However, users who get tricked into installing OSX.Dummy virus put their privacy and sensitive data at risk.
It seems like cybercriminals are targeting users who are discussing digital currency market on popular chatting platforms Discord and Slack. Hackers have been infiltrating groups and pretending to be administrators of certain websites. According to researchers, they share small snippets within the chat group and those who download them end up installing malicious binary code into their systems.
As soon as the payload is distributed, OSX.Dummy tries to contact a remote Command & Control server, owned by cybercriminals. This allows bad actors to gain root access to Mac OS machine and run code on it.
Security expert dubbed the malware “dumb”
The malicious program was first discovered and characterized by DotchSec founder Remco Verhoef, which he described in SANS ISC InfoSec blog on Friday. Another security researcher and founder of Digita Security Patrick Wardle, has called the malware “dumb,” giving it a rather amusing name of OSX.Dummy.
First of all, he criticized malware's distribution methods. Typically, hackers use rather clever social engineering skills to inject computers with viruses. However, these bad actors “are asking users to infect themselves,” he said. If victims fail for this poorly executed social engineering attack, a hefty file of 34MB is downloaded on their system and placed into macOS/tmp/script directory. Malware is also using /tmp/dumpdummy to save users' passwords and usernames in.
As soon as the code is executed, the malware attempts to run sudo command via Terminal, which is only established if the user is connected to the administrator account protected by the password. Then, the victim is prompted to enter the password, allowing OSX.Dummy to gain root access rights.
To gain persistence, the malware executes its code into various directories on the targeted Mac OS. Next, malware connects to a remote server:
The bash script (which runs a python command) tries to connect to 126.96.36.199 at port 1337 within a loop and the python code creates a reverse shell. To ensure execution during startup it creates a launch daemon. At the moment I was testing this, the reverse shell failed to connect.
Verhoef also noted that the 188.8.131.52 block belongs to German-based firm CrownCloud, and the server is located in the Netherlands. However, nothing more is known about possible attackers.
OSX.Dummy avoids Gatekeeper, although Virus Total recognizes the file as malicious
Although the giant 34MB payload binary is not signed, it still manages to avoid Gatekeeper – the macOS software produced to stop the execution of unsigned files. The malware is capable of doing that because the victim who is downloading the binary is downloading it directly via terminal commands. This way, Gatekeeper's protection is bypassed, and the malicious payload is established.
Initially, Virus Total scored a total of 0 detections out of 60, meaning, that none of the AVs recognized the file as malicious. At the time of the writing, 11 out of 60 anti-virus programs recognize the file, which is good news for unsuspecting users.
Although the OSX.Dummy virus is primitive, it can still inflict a lot of damage to the person who is gullible enough to download the binary. After all, the malware can connect to the adversary’s C&C server, which allows bad actors to take over the targeted system and steal private information. Mac OS users should be cautious, as it is not the first time Apple products have been struck by malware.