Skip to main content

PSA: New macOS DNS hijacking malware discovered, also capable of screenshots, file access, more

Apple’s macOS is reportedly the target of a new DNS hijacking exploit. As noted by The Hacker News, the malware is being likened to the DNSChange trojan that affected over four million computers in 2011…

This sort of malware works by changing DNS server settings on affected computers, thus routing traffic through malicious servers and logging sensitive data in the process. This new version is being referred to as OSX/MaMi.

News of this malware first appeared on the Malwarebytes forum, prompting ex-NSA hacker Patrick Wardle to do a deep dive into it. Wardle found that the malware is indeed a DNS Hijacker, but actually goes further and installs a new root certificate to hijack encrypted communication.

“OSX/MaMi isn’t particularly advanced – but does alter infected systems in rather nasty and persistent ways,” Wardle writes.

“By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle’ing traffic (perhaps to steal credentials, or inject ads)” or to insert cryptocurrency mining scripts into web pages.

Furthermore the malware’s reach is said to extend to things such as generating mouse events, taking screenshots, and more:

  • Taking screenshots
  • Generating simulated mouse events
  • Perhaps persists as a launch item (programArguments, runAtLoad)
  • Downloading & uploading files
  • Executing commands

There’s still a lot we don’t know about this attack. For instance, specific information about how it’s spreading remains unclear. Wardle speculates, however, that the attackers may be using rather basic methods of malicious emails and fake security alerts and popups.

Currently, you can check to make sure you aren’t affected by launching System Preferences, heading into the Network menu, choosing “Advanced” and toggling over to the DNS menu. On that menu, keep an eye out for 82.163.143.135 and 82.163.142.137.

It’s important to note that, as of right now, antivirus products are not detecting the malware:

As is often the case with new malware, it’s currently marked as ‘clean’ by all 59 engines on VirusTotal (this will hopefully change shortly as AV products start adding detections).

Furthermore, Wardle will be releasing a free open-source firewall for macOS called Lulu that prevents the OSX/MaMi malware from stealing your data. Much more information from Wardle is available here.


Subscribe to 9to5Mac on YouTube for more Apple news:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Chance Miller Chance Miller

Chance is the editor-in-chief of 9to5Mac, overseeing the entire site’s operations. He also hosts the 9to5Mac Daily and 9to5Mac Happy Hour podcasts.

You can send tips, questions, and typos to chance@9to5mac.com.

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications