A new malware branded as OSX/MaMi has been actively targeting Mac OS X devices in the wild. This malware uses a technique known as DNS hijacking, which allows the attacker to change a user’s DNS settings, redirecting the internet traffic from the infected device to the attacker. DNS hijacking is used to carry out Man-in-the-Middle (MITM) attacks which can result in information theft, malicious ads or crypto-miners being injected into web traffic. In order to intercept encrypted traffic and maintain persistence on infected devices, OSX/MaMi also installs a new root certificate. Currently, the means of infection remains unknown.
OSX/MaMi appears to be in its development stage. Analysis of the malware showed various other capabilities that have not yet been activated. Future versions of OSX/MaMi are expected to enable the attacker to take screenshots, simulate mouse events, persist as a launch item, download and upload files and execute commands.
What we’re doing about it
- A retroactive scan for known indicators of compromise (IOCs) has been performed across all clients
- esNETWORK signatures have been deployed
- Blocking malicious hashes on esENDPOINT
See the following information for indicators of compromise and additional technical details
- DNS settings change to 184.108.40.206 and 220.127.116.11 addresses
- New root certificate cloudguard(.)me
Known Malicious SHA-1 hashes:
Known Malicious MD5 hashes:
Infected systems are known to reach out to the following addresses:
For additional information, please see the initial disclosure report . https://objective-see.com/blog/blog_0x26.html