A security researcher has uncovered a new, undetectable strain of malware affected Apple Macs that can hijack a device's DNS settings and steal victims' personal data. According to former NSA analyst and security researcher Patrick Wardle, the malicious code dubbed OSX MaMi is a DNS hijacker but also features a slew of other malicious capabilities.
The malware isn't "particularly advanced," Wardle explained in a blog post published on Thursday (11 January). However, it does not currently trigger any detections on anti-virus software.
"As is often the case with new malware, it's currently marked as 'clean' by all 59 engines on VirusTotal (this will hopefully change shortly as AV products start adding detections)," Wardle writes. "And speaking of 'new' if we load the malware's binary in a disassembler, we find an app version of 1.1.0, which... may seem to indicate the malware likely hasn't been around for too long."
After analysing the malware's source code, Wardle said OSX/MaMi is capable of installing a local certificate, setting up custom DNS settings, hijacking mouse clicks, running AppleScripts and taking mouse clicks. It can also get boot persistence, download and upload files and execute commands.
"OSX MaMi isn't particular advanced - but does alter infected systems in rather nasty and persistent ways," he explained. "By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle'ing traffic (perhaps to steal credentials, or inject ads)."
So far, the malware does not seem to be executing any other functions besides DNS hijacking.
"Perhaps in order for the methods to be executed or for the malware to be persisted, requires some attack-supplied input, or other preconditions that just weren't met in my [virtual machine]. I'll keep digging!"
It is not immediately clear who is behind OSX MaMi or how hackers are infecting their victims with the malware. Wardle suspects attackers are likely using the usual methods of malware distribution such as social-engineering based attacks, malicious emails or web-based fake security alerts to dupe victims into downloading the malicious code.
So far at least one person was reportedly affected by the malware. A user in the US reported on the Malwarebytes forums this week that the DNS servers on a fellow teacher's device were set to 220.127.116.11 and 18.104.22.168 and kept switching back even after being removed.
How to check if you're infected
To find out if you have been infected by the malware, Wardle suggests checking your DNS settings and seeing if they have been changed to 22.214.171.124 and 126.96.36.199. OSX MaMi does not seem to be targeting Windows devices at the moment.
Since it is currently undetectable to antivirus software, Users can use a third-party tool that can detect and block outgoing traffic, he said.
"There was a piece of Mac malware called 'DNSChanger' (or Puper, Jahlav, RSPlug-F)," Wardle wrote. "It targeted Macs over 10 years ago, and was a simple script.
"Could it be an update to that? I guess, but that seems unlikely [in my honest opinion]. The malware is also very 'macOS'-centric, meaning it's unlikely a direct port of some Window DNS hijacking malware."