New macOS malware hijacks DNS settings and takes screenshots

The general perception about Apple devices is that they are protected from malware and other hacking attacks. But since hackers are getting smarter and more sophisticated in their attacks things are changing for bad. Now, a Malwarebytes forum user has discovered a dangerous malware targeting macOS – Its in-depth analysis has been conducted by an independent security researcher.

How does it work?

Dubbed OSX/MaMi, the malware is capable of installing a new root certificate and hijacking the DNS servers then manipulating Internet traffic and redirecting it to a malicious server controlled by attackers and steal sensitive data from the device including, login credentials and passwords.

According to Patrick Wardle, a security researcher who analyzed the malware, OSX/MaMi is an unsigned Mach-O 64-bit executable which evades anti-virus detection, keep an eye on victim’s activity by taking screenshots, execute different commands, generate simulated mouse events, download and upload files, etc.

OSX/MaMi isn’t particularly advanced – but does alter infected systems in rather nasty and persistent ways. By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle’ing traffic (perhaps to steal credentials, or inject ads),” Wardle concluded.

New macOS malware hijacks DNS settings and takes screenshots

How OSX/MaMi infects macOS?

Currently, it is unclear how OSX/MaMi targets and infects macOS, however, Wardle believes attackers are using lame methods “such as malicious email, web-based fake security alerts/popups, or social-engineering type attacks to target Mac users “

How to check if your DNS is infected?

You can manually check if your device is infected with OSX/MaMi by going into DNS settings. If the DNS is set to and your device is infected. Moreover, since none of the 59 anti-virus software on VirusTotal can detect the malware Wardle has created a free open source firewall calledLuLu‘ that detects OSX/MaMi’s network traffic.

New macOS malware hijacks DNS settings and takes screenshots

Mac users are urged to keep their operating system up to date, avoid downloading unnecessary apps and software, do not click on links and attachments from unknown emails. Also, use an updated security software and stay safe online.

Top, featured image via DepositPhotos/Rawpixel


Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.