A new malware branded as OSX/MaMi has been actively targeting Mac OS X devices in the wild. This malware uses a technique known as DNS hijacking, which allows the attacker to change a user’s DNS settings, redirecting the internet traffic from the infected device to the attacker. DNS hijacking is used to carry out Man-in-the-Middle (MITM) attacks which can result in information theft, malicious ads or crypto-miners being injected into web traffic. In order to intercept encrypted traffic and maintain persistence on infected devices, OSX/MaMi also installs a new root certificate. Currently, the means of infection remains unknown. 

OSX/MaMi appears to be in its development stage. Analysis of the malware showed various other capabilities that have not yet been activated. Future versions of OSX/MaMi are expected to enable the attacker to take screenshots, simulate mouse events, persist as a launch item, download and upload files and execute commands.

 

What we’re doing about it

  • A retroactive scan for known indicators of compromise (IOCs) has been performed across all clients
  • esNETWORK signatures have been deployed
  • Blocking malicious hashes on esENDPOINT

 

Additional information

See the following information for indicators of compromise and additional technical details

  • DNS settings change to 82.163.143.135 and 82.163.142.137 addresses
  • New root certificate cloudguard(.)me

 

Known Malicious SHA-1 hashes:

  • eaf2eccf80caafb3302824ab0cc2bd3996d4e3e5
  • f596b8ae209a1600a33a230e9904472b6d4ba1c0

 

Known Malicious MD5 hashes:

  • 91281acd8beebf4ef3b2cb2a74cba352
  • 6e6034c13cb949156888513211b1f1ef

 

Infected systems are known to reach out to the following addresses:

  • squartera(.)info
  • gorensin(.)info
  • honouncil(.)info
  • sincentre(.)info
  • regardens(.)info
  • angeing(.)info
  • definitial(.)info
  • humption(.)info
  • lilovakia(.)info

 

For additional information, please see the initial disclosure report [1]. https://objective-see.com/blog/blog_0x26.html

eSentire Media Contacts

Mandy Bachus | eSentire | [email protected] | +1 519.651.2200 x5226 | @MandyBachus

Angela Tuzzo | MRB Public Relations | [email protected] | +1 732.758.1100 x105 | @MRB_PR

Ready to start the conversation about cybersecurity?

Let's Talk