PSA: New macOS DNS hijacking malware discovered, also capable of screenshots, file access, more

["Dave Farber" <farber () gmail com>]

> Begin forwarded message:
>
> From: the keyboard of geoff goodfellow <geoff () iconia com>
> Subject: PSA: New macOS DNS hijacking malware discovered, also capable of screenshots, file access, more
> Date: January 16, 2018 at 8:23:30 PM EST
> To: "E-mail Pamphleteer Dave Farber's Interesting People list" <ip () listbox com>
>
> excerpted from https://9to5mac.com/2018/01/15/macos-dns-hijacking-malware/ 
> <https://9to5mac.com/2018/01/15/macos-dns-hijacking-malware/>
> Apple’s macOS is reportedly the target of a new DNS hijacking exploit. As noted by The Hacker News 
> <https://thehackernews.com/2018/01/macos-dns-hijacker.html?m=1>, the malware is being likened to the DNSChange trojan 
> that affected over four million computers in 2011…
>
>
> This sort of malware works by changing DNS server settings on affected computers, thus routing traffic through 
> malicious servers and logging sensitive data in the process. This new version is being referred to as OSX/MaMi.
>
> News of this malware first appeared on the Malwarebytes forum, prompting ex-NSA hacker Patrick Wardle to do a deep 
> dive into it <https://objective-see.com/blog/blog_0x26.html>. Wardle found that the malware is indeed a DNS Hijacker, 
> but actually goes further and installs a new root certificate to hijack encrypted communication.
>
> “OSX/MaMi isn’t particularly advanced – but does alter infected systems in rather nasty and persistent ways,” Wardle 
> writes.
>
> “By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious 
> actions such as man-in-the-middle’ing traffic (perhaps to steal credentials, or inject ads)” or to insert 
> cryptocurrency mining scripts into web pages.
>
> Furthermore the malware’s reach is said to extend to things such as generating mouse events, taking screenshots, and 
> more:
>
> Taking screenshots
> Generating simulated mouse events
> Perhaps persists as a launch item (programArguments, runAtLoad)
> Downloading & uploading files
> Executing commands
> There’s still a lot we don’t know about this attack. For instance, specific information about how it’s spreading 
> remains unclear. Wardle speculates, however, that the attackers may be using rather basic methods of malicious emails 
> and fake security alerts and popups.
>
> Currently, you can check to make sure you aren’t affected by launching System Preferences, heading into the Network 
> menu, choosing “Advanced” and toggling over to the DNS menu. On that menu, keep an eye out for 82.163.143.135 and 
> 82.163.142.137.
>
> It’s important to note that, as of right now, antivirus products are not detecting the malware:
>
> As is often the case with new malware, it’s currently marked as ‘clean’ by all 59 engines on VirusTotal (this will 
> hopefully change shortly as AV products start adding detections).
>
> Furthermore, Wardle will be releasing a free open-source firewall for macOS called Lulu that prevents the OSX/MaMi 
> malware from stealing your data. Much more information from Wardle is available here 
> <https://objective-see.com/blog/blog_0x26.html>. [...]
>
>
> -- 
> Geoff.Goodfellow () iconia com <mailto:Geoff.Goodfellow () iconia com>
> living as The Truth is True
> http://geoff.livejournal.com <http://geoff.livejournal.com/>  
>
> This message was sent to the list address and trashed, but can be found online. 
> <https://www.listbox.com/login/messages/view/20180116202417:20C18584-FB25-11E7-8A2F-EB0DD359CE5B/>



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now: 
https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20180116203822:18530DD0-FB27-11E7-98F3-BD24513F892F
Powered by Listbox: http://www.listbox.com