At the moment I was testing this, the reverse shell failed to connect,” Verhoef wrote. To ensure execution during startup it creates a launch daemon. “The bash script (which runs a python command) tries to connect to 185243115230 at port 1337 within a loop and the python code creates a reverse shell. According to Apple, “to execute a sudo command in Terminal on your Mac, you must be logged in with an administrator account that has a password.”įrom there, the malware drops code in various macOS directories including “/Library/LaunchDaemons/”, which gives the OSX.Dummy persistence. “his will require the user to enter their password in the terminal,” Wardle explains.
“I guess the take away here is (yet again) the built-in macOS malware mitigations should never be viewed as a panacea.”Īs the malware binary is executed, a macOS sudo command (via Terminal) changes the malware’s permissions to root. “Normally such a binary would be blocked by Gatekeeper. However if users are downloading and running a binary directly via terminal commands, Gatekeeper does not come into play and thus unsigned binary will be allowed to execute,” Wartle wrote. The binary is unsigned, Wardle notes, adding that malware is able to sidestep the macOS Gatekeeper security software, designed to prevent unsigned software from being downloaded and executed.
The script used to trick victims into downloading OSX.Dummy. “The file is a large mach064 binary (34M), rating a perfect score of 0/60 on VirusTotal,” Verhoef wrote. The download is saved to the macOS/tmp/script directory and then executed. Users are enticed by attackers to execute a script that in turn downloads the hefty 34Mb OSX.Dummy malware via cURL. Small snippets are being shared, resulting in downloading and executing a malicious binary,” he wrote. “ previous days we’ve seen multiple MacOS malware attacks, originating within crypto related Slack or Discord chats groups by impersonating admins or key people. The researcher said he observed multiple attacks last week. The malware was first spotted and described by researcher Remco Verhoef, who posted his findings early Friday to the SANS InfoSec Handlers Diary Blog.
“If the connection to the attacker’s C&C server succeeds, the attacker will be able to arbitrarily execute commands (as root!) on the infected system,” wrote Patrick Wardle, chief research officer at Digita Security in a blog post Friday. The malware, dubbed OSX.Dummy, uses an unsophisticated infection method, but those who are successfully attacked open their systems up to remote arbitrary code execution. Hackers using MacOS malware are targeting cryptocurrency investors that use both the Slack and Discord chat platforms.
0 kommentar(er)
