Apple’s macOS is reportedly the target of a new DNS hijacking exploit. As noted by The Hacker News, the malware is being likened to the DNSChange trojan that affected over four million computers in 2011…
Sylvania HomeKit Light Strip
This sort of malware works by changing DNS server settings on affected computers, thus routing traffic through malicious servers and logging sensitive data in the process. This new version is being referred to as OSX/MaMi.
News of this malware first appeared on the Malwarebytes forum, prompting ex-NSA hacker Patrick Wardle to do a deep dive into it. Wardle found that the malware is indeed a DNS Hijacker, but actually goes further and installs a new root certificate to hijack encrypted communication.
“OSX/MaMi isn’t particularly advanced – but does alter infected systems in rather nasty and persistent ways,” Wardle writes.
“By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle’ing traffic (perhaps to steal credentials, or inject ads)” or to insert cryptocurrency mining scripts into web pages.
Furthermore the malware’s reach is said to extend to things such as generating mouse events, taking screenshots, and more:
- Taking screenshots
- Generating simulated mouse events
- Perhaps persists as a launch item (programArguments, runAtLoad)
- Downloading & uploading files
- Executing commands
There’s still a lot we don’t know about this attack. For instance, specific information about how it’s spreading remains unclear. Wardle speculates, however, that the attackers may be using rather basic methods of malicious emails and fake security alerts and popups.
Currently, you can check to make sure you aren’t affected by launching System Preferences, heading into the Network menu, choosing “Advanced” and toggling over to the DNS menu. On that menu, keep an eye out for 18.104.22.168 and 22.214.171.124.
It’s important to note that, as of right now, antivirus products are not detecting the malware:
As is often the case with new malware, it’s currently marked as ‘clean’ by all 59 engines on VirusTotal (this will hopefully change shortly as AV products start adding detections).
Furthermore, Wardle will be releasing a free open-source firewall for macOS called Lulu that prevents the OSX/MaMi malware from stealing your data. Much more information from Wardle is available here.