A new malware branded as OSX/MaMi has been actively targeting Mac OS X devices in the wild. This malware uses a technique known as DNS hijacking, which allows the attacker to change a user’s DNS settings, redirecting the internet traffic from the infected device to the attacker. DNS hijacking is used to carry out Man-in-the-Middle (MITM) attacks which can result in information theft, malicious ads or crypto-miners being injected into web traffic. In order to intercept encrypted traffic and maintain persistence on infected devices, OSX/MaMi also installs a new root certificate. Currently, the means of infection remains unknown.
OSX/MaMi appears to be in its development stage. Analysis of the malware showed various other capabilities that have not yet been activated. Future versions of OSX/MaMi are expected to enable the attacker to take screenshots, simulate mouse events, persist as a launch item, download and upload files and execute commands.
What we’re doing about it
- A retroactive scan for known indicators of compromise (IOCs) has been performed across all clients
- esNETWORK signatures have been deployed
- Blocking malicious hashes on esENDPOINT
Additional information
See the following information for indicators of compromise and additional technical details
- DNS settings change to 82.163.143.135 and 82.163.142.137 addresses
- New root certificate cloudguard(.)me
Known Malicious SHA-1 hashes:
- eaf2eccf80caafb3302824ab0cc2bd3996d4e3e5
- f596b8ae209a1600a33a230e9904472b6d4ba1c0
Known Malicious MD5 hashes:
- 91281acd8beebf4ef3b2cb2a74cba352
- 6e6034c13cb949156888513211b1f1ef
Infected systems are known to reach out to the following addresses:
- squartera(.)info
- gorensin(.)info
- honouncil(.)info
- sincentre(.)info
- regardens(.)info
- angeing(.)info
- definitial(.)info
- humption(.)info
- lilovakia(.)info
For additional information, please see the initial disclosure report [1]. https://objective-see.com/blog/blog_0x26.html
