Hackers are using a new MacOS malware aimed at cryptocurrency investors on Discord and Slack group chat communities.
The malware was initially discovered by an IT security expert Remco Verhoef and later analyzed by Patrick Wardle, a former NSA white hat hacker and malware researcher.
Dubbed OSX.Dummy; the malware has been developed in such a way that it impersonates as admins or key people in chat groups. According to Verhoef, small snippets are being shared, leading to download and execute a malicious binary which allows OSX.Dummy authors to remotely access the device by connecting it to command and control (C&C) server.
“If the connection to the attacker’s C&C server succeeds, the attacker will be able to arbitrarily execute commands (as root!) on the infected system,” noted Wardle.
Wardle further noted that the malicious binary is not signed meaning that GateKeeper would block it, however, hackers took care of it by tricking users into downloading the binary directly on their system through terminal commands.
“Normally such a binary would be blocked by Gatekeeper. However, if users are downloading and running a binary directly via terminal commands, Gatekeeper does not come into play and thus unsigned binary will be allowed to execute,” Wardle said. “I guess the take away here is (yet again) the built-in macOS malware mitigations should never be viewed as a panacea.”
“I’m calling it OSX.Dummy as: the infection method is dumb, the massive size of the binary is dumb, the persistence mechanism is lame (and thus also dumb), the capabilities are rather limited (and thus rather dumb), it’s trivial to detect at every step (that dumb) …and finally, OSX.Dummy saves the user’s password to dumpdummy,” Wardle wrote.
Although the malware is called Dummy, cryptocurrency investors on Mac should be careful and refrain from downloading and executing files from 3rd-party platforms especially Discord and Slack group chat communities.
This is not the first time when cryptocurrency users on Mac have been under malware attack. In May this year, a cryptojacking malware called mshelper was found targeting Mac devices.