eSentire White Logo

Security advisories | Feb 26, 2019

OSX/MaMi Malware

A new malware branded as OSX/MaMi has been actively targeting Mac OS X devices in the wild. This malware uses a technique known as DNS hijacking, which allows the attacker to change a user’s DNS settings, redirecting the internet traffic from the infected device to the attacker. DNS hijacking is used to carry out Man-in-the-Middle (MITM) attacks which can result in information theft, malicious ads or crypto-miners being injected into web traffic. In order to intercept encrypted traffic and maintain persistence on infected devices, OSX/MaMi also installs a new root certificate. Currently, the means of infection remains unknown.

OSX/MaMi appears to be in its development stage. Analysis of the malware showed various other capabilities that have not yet been activated. Future versions of OSX/MaMi are expected to enable the attacker to take screenshots, simulate mouse events, persist as a launch item, download and upload files and execute commands.

What we’re doing about it

  • A retroactive scan for known indicators of compromise (IOCs) has been performed across all clients
  • esNETWORK signatures have been deployed
  • Blocking malicious hashes on esENDPOINT

Additional information

See the following information for indicators of compromise and additional technical details

  • DNS settings change to and addresses
  • New root certificate cloudguard(.)me

Known Malicious SHA-1 hashes:

  • eaf2eccf80caafb3302824ab0cc2bd3996d4e3e5
  • f596b8ae209a1600a33a230e9904472b6d4ba1c0

Known Malicious MD5 hashes:

  • 91281acd8beebf4ef3b2cb2a74cba352
  • 6e6034c13cb949156888513211b1f1ef

Infected systems are known to reach out to the following addresses:

  • squartera(.)info
  • gorensin(.)info
  • honouncil(.)info
  • sincentre(.)info
  • regardens(.)info
  • angeing(.)info
  • definitial(.)info
  • humption(.)info
  • lilovakia(.)info

For additional information, please see the initial disclosure report [1].