The founder of DutchSec and security researcher, Remco Verhoef, dissected a new MacOS malware at the SANS InfoSec Handlers Diary Blog.
“Previous days we've seen multiple MacOS malware attacks, originating within crypto related Slack or Discord chats groups by impersonating admins or key people. Small snippets are being shared, resulting in downloading and executing a malicious binary,” states the blog entry.
This malware acts like an admin or a key personnel and requests to execute a code line. As soon as this code is executed a whopping 34mb size file is being downloaded and the infection starts.
After the initial findings of Verhoef, Digital Security chief research officer Patrick Wardle did his own autopsy on the malware and named it OSX.Dumb, and he has good reasons for it.
According to Wardle:
- the infection method is dumb
- the massive size of the binary is dumb
- the persistence mechanism is lame (and thus also dumb)
- the capabilities are rather limited (and thus rather dumb)
- it's trivial to detect at every step (that dumb)
- ...and finally, the malware saves the user's password to dumpdummy
Dumb or not, if the attack is successful, the system could be compromised as the attacker can take control of it.
Verhoef also discovers that malware eventually tries to connect to 185.243.115.230 at port 1337, which he later takes note“CrownCloud, a German-based provider is the owner of the block of 185.243.115.230 and the server appears to be located in the Netherlands.”
By Nadya Astam