A new malware branded as OSX/MaMi has been actively targeting Mac OS X devices in the wild. This malware uses a technique known as DNS hijacking, which allows the attacker to change a user’s DNS settings, redirecting the internet traffic from the infected device to the attacker. DNS hijacking is used to carry out Man-in-the-Middle (MITM) attacks which can result in information theft, malicious ads or crypto-miners being injected into web traffic. In order to intercept encrypted traffic and maintain persistence on infected devices, OSX/MaMi also installs a new root certificate. Currently, the means of infection remains unknown. 

OSX/MaMi appears to be in its development stage. Analysis of the malware showed various other capabilities that have not yet been activated. Future versions of OSX/MaMi are expected to enable the attacker to take screenshots, simulate mouse events, persist as a launch item, download and upload files and execute commands.


What we’re doing about it

  • A retroactive scan for known indicators of compromise (IOCs) has been performed across all clients
  • esNETWORK signatures have been deployed
  • Blocking malicious hashes on esENDPOINT


Additional information

See the following information for indicators of compromise and additional technical details

  • DNS settings change to and addresses
  • New root certificate cloudguard(.)me


Known Malicious SHA-1 hashes:

  • eaf2eccf80caafb3302824ab0cc2bd3996d4e3e5
  • f596b8ae209a1600a33a230e9904472b6d4ba1c0


Known Malicious MD5 hashes:

  • 91281acd8beebf4ef3b2cb2a74cba352
  • 6e6034c13cb949156888513211b1f1ef


Infected systems are known to reach out to the following addresses:

  • squartera(.)info
  • gorensin(.)info
  • honouncil(.)info
  • sincentre(.)info
  • regardens(.)info
  • angeing(.)info
  • definitial(.)info
  • humption(.)info
  • lilovakia(.)info


For additional information, please see the initial disclosure report [1]. https://objective-see.com/blog/blog_0x26.html

See the latest security advisories

Articles and reports written by eSentire staff and our Threat Intelligence Research Group.

Ready to get started?
We're here to help.

Get Started
Reach out to schedule a meeting and learn more about our Managed Detection and Response, Risk Advisory and Managed Prevention capabilities.