Warning: DNS Hijacking Malware Targeting Apple macOS Users

[Jon4248]

Sources; 

https://objective-see.com/blog/blog_0x26.html

https://thehackernews.com/2018/01/macos-dns-hijacker.html?m=1

https://9to5mac.com/2018/01/15/macos-dns-hijacking-malware/
 

Good thing I installed Malwarebytes today...

 

Quote

Dubbed OSX/MaMi, an unsigned Mach-O 64-bit executable, the malware is somewhat similar to DNSChanger malware that infected millions of computers across the world in 2012.

I have a few Mac computers, so this is a concern to me, as well as I feel it will be for a lot of other users.

It is my understanding it is very hard to detect tell that it has been installed until scanners are updated;

 

Quote

MacOS users may wish to check out their DNS settings;

Quote

First appeared on the Malwarebytes forum, a user posted a query regarding unknown malware that infected his friend's computer that silently changed DNS settings on infected macOS to 82.163.143.135 and 82.163.142.137 addresses.

I did check mine and they appear to be fine. I for sure do not want these types of issues; 

 

Quote

"OSX/MaMi isn't particularly advanced - but does alter infected systems in rather nasty and persistent ways," Patrick said.

"By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle'ing traffic (perhaps to steal credentials, or inject ads)" or to insert cryptocurrency mining scripts into web pages.

Besides this, the OSX/MaMi macOS malware, which appears to be in its initial stage, also includes below-mentioned abilities, most of which are not currently activated in its version 1.1.0:

 

• Take screenshots
• Generate simulated mouse events
• Perhaps persist as a launch item
• Download and upload files
• Execute commands

 

[johnukguy]

Thanks for posting this.

[captain_to_fire]

Doesn't meet the requirements 

• Your thread must include some original input to tell the reader why it is relevant to them, and what your personal opinion on the topic is. This needs to be MORE than just a quick, single comment to meet the posting guidelines.

[ARikozuM]

Just redirect @DrMacintosh to Pornhub. That'll teach 'em.

[Jon4248]

7 minutes ago, hey_yo_ said:

Doesn't meet the requirements 

• Your thread must include some original input to tell the reader why it is relevant to them, and what your personal opinion on the topic is. This needs to be MORE than just a quick, single comment to meet the posting guidelines.

ya I was adding more, clicked post to quickly sorry sir 

[aries757]

12 minutes ago, Jon4248 said:

 

@DrMacintosh @pornhub.com

 

17 minutes ago, ARikozuM said:

Just redirect @DrMacintosh to Pornhub. That'll teach 'em.

 

[Arika]

Quote

Macs dont get viruses

 

[Guest]

if ur a big dum dum and run unsigned software whut u think will happen. Its hardly anything newsworthy.

[Jon4248]

50 minutes ago, RorzNZ said:

if ur a big dum dum and run unsigned software whut u think will happen. Its hardly anything newsworthy.

true, I guess we should just delete it then. 

[Energycore]

4 minutes ago, Jon4248 said:

true, I guess we should just delete it then. 

 

55 minutes ago, RorzNZ said:

if ur a big dum dum and run unsigned software whut u think will happen. Its hardly anything newsworthy.

Just by the way, we don't delete threads unless they're directly in violation of our Community Standards.

 

Since this thread is about news (how relevant they are can be argued) and meets the guidelines, it'll stay on TnR

[Drak3]

1 hour ago, RorzNZ said:

if ur a big dum dum and run unsigned software whut u think will happen. Its hardly anything newsworthy.

It's unsure how the malware actually gets to the system. It's also easy to trick the average user into thinking a piece of malware is a legitimate piece of software from a trusted source, ie. Chrome extension, antivirus, F2P game, etc.

 

Particularly when the (false) notion that an OS is inherently secure and impervious to these types of attacks exist.

[DrMacintosh]

I bet its already patched  

[captain_to_fire]

3 hours ago, Jon4248 said:

I have a few Mac computers, so this is a concern to me, as well as I feel it will be for a lot of other users.

It is my understanding it is very hard to detect tell that it has been installed until scanners are updated;

Why? Because most AV vendors focus on detecting threats in Windows than in macOS even though threats on macOS is on the rise. That's why sometimes, freshly made malware gets detected by a few AV programs (heuristics or behavior analysis) and not to mention, Windows gives more access to AV programs to system resources like the kernel. I don't think macOS has given them that kind of access just yet. I could be wrong.

Edited January 17, 2018 by hey_yo_

[Drak3]

9 minutes ago, DrMacintosh said:

I bet its already patched  

I'm never taking you to Vegas. I'd be broke the second we got there.

[DrMacintosh]

7 minutes ago, Drak3 said:

I'm never taking you to Vegas. I'd be broke the second we got there.

There is a reason they call it lost wages 

[Guest]

1 hour ago, Energycore said:

 

Just by the way, we don't delete threads unless they're directly in violation of our Community Standards.

 

Since this thread is about news (how relevant they are can be argued) and meets the guidelines, it'll stay on TnR

I mean the notion of Macs not having viruses, or publicising this as a big threat. It is still worth knowing about, just in a different sense. It should definitely stay here for people to see.
 

1 hour ago, Drak3 said:

It's unsure how the malware actually gets to the system. It's also easy to trick the average user into thinking a piece of malware is a legitimate piece of software from a trusted source, ie. Chrome extension, antivirus, F2P game, etc.

 

Particularly when the (false) notion that an OS is inherently secure and impervious to these types of attacks exist.

You can't install unsigned apps from anywhere without unlocking the option. There are 3 tiers to choose from: Apps from the App Store, Apps from App Store and Identified Developers (Signed Apps), and from Anywhere. Any time you change these options and when you install an app that accesses the system you need to input your password / touchID / Apple Watch.

Now if you have it set to "anywhere" and you are a very naughty Mac user who gets their content through interesting means, this will be a problem. As with any virus this probably targets the gullible.

 

[captain_to_fire]

6 minutes ago, RorzNZ said:

You can't install unsigned apps from anywhere without unlocking the option. There are 3 tiers to choose from: Apps from the App Store, Apps from App Store and Identified Developers (Signed Apps), and from Anywhere. Any time you change these options and when you install an app that accesses the system you need to input your password / touchID / Apple Watch.

I wonder how this malware persisted this long probably even when Mac OS X Lion introduced Gatekeeper ?

Looks like in 2018 days will get bleaker when it comes to cybersecurity 

[Guest]

46 minutes ago, hey_yo_ said:

I wonder how this malware persisted this long probably even when Mac OS X Lion introduced Gatekeeper ?

Looks like in 2018 days will get bleaker when it comes to cybersecurity 

Well i'm pretty interested to see the method used there as well. Thats a pretty extrodinary case, and like I said Macs certianly aren't immune to viruses. I myself run Sophos Antivirus. Hopefully that article has a follow-up. I'll keep an eye out in MacOS updates.