OSX/MaMi Malware

A new malware branded as OSX/MaMi has been actively targeting Mac OS X devices in the wild. This malware uses a technique known as DNS hijacking, which allows the attacker to change a user’s DNS settings, redirecting the internet traffic from the infected device to the attacker. DNS hijacking is used to carry out Man-in-the-Middle (MITM) attacks which can result in information theft, malicious ads or crypto-miners being injected into web traffic. In order to intercept encrypted traffic and maintain persistence on infected devices, OSX/MaMi also installs a new root certificate. Currently, the means of infection remains unknown.

OSX/MaMi appears to be in its development stage. Analysis of the malware showed various other capabilities that have not yet been activated. Future versions of OSX/MaMi are expected to enable the attacker to take screenshots, simulate mouse events, persist as a launch item, download and upload files and execute commands.

What we’re doing about it

• A retroactive scan for known indicators of compromise (IOCs) has been performed across all clients
• esNETWORK signatures have been deployed
• Blocking malicious hashes on esENDPOINT

Additional information

See the following information for indicators of compromise and additional technical details

• DNS settings change to 82.163.143.135 and 82.163.142.137 addresses
• New root certificate cloudguard(.)me

Known Malicious SHA-1 hashes:

• eaf2eccf80caafb3302824ab0cc2bd3996d4e3e5
• f596b8ae209a1600a33a230e9904472b6d4ba1c0

Known Malicious MD5 hashes:

• 91281acd8beebf4ef3b2cb2a74cba352
• 6e6034c13cb949156888513211b1f1ef

Infected systems are known to reach out to the following addresses:

• squartera(.)info
• gorensin(.)info
• honouncil(.)info
• sincentre(.)info
• regardens(.)info
• angeing(.)info
• definitial(.)info
• humption(.)info
• lilovakia(.)info

For additional information, please see the initial disclosure report [1]. https://objective-see.com/blog/blog_0x26.html