'Dumb' malware targets MacOS devices by getting cryptocurrency users to infect themselves

Attackers lure users on cryptocurrency forums into downloading a massive binary that grants them backdoor access

Attackers are targeting cryptocurrency users with a new malware designed for macOS by getting victims on Slack or Discord groups to infect themselves with a malicious script.

Posing as group administrators on cryptocurrency forums and discussion boards, the malicious actors are sharing a script, and encouraging users to copy and paste it into a Terminal window on their Macs, disguised as helpful advice.

The command, once entered, downloads a 34-megabyte payload from a remote server and grants backdoor access into the infected machine, according to Remco Verhoef from SANS, who first discovered the threat.

Later dubbed OSX.Dummy by Mac malware expert Patrick Wardle for a host of reasons, the infection is able to bypass Gatekeeper, an additional layer of security on macOS X, if enabled directly through terminal commands, despite the fact it is unsigned code - meaning it should, in theory, be immediately detected.

Advertisement
Advertisement - Article continues below

Among Wardle's observations, he noted "the infection method is dumb, the massive size of the binary is dumb, the persistence mechanism is lame (and thus also dumb)" and "the capabilities are rather limited (and thus rather dumb)".

The large binary attempts to encrypt its communication with the original server, and, once executed, uses sudo to elevate its rights on the infected machine. From there, it seems to do no more than create a shell script file and a launch daemon to keep it running.

Despite the malware being not particularly exceptional, according to Thomas Reed, Malwarebytes' director of Mac and mobile, the method of distributing is itself interesting, given how often people on forums have been giving instructions that involve running line-by-line terminal commands for years.

"There have been other cases in the past of scripts being posted that were actually malicious in nature," he wrote on the cyber security company's official blog.

"The most well known of these was an infamous trick where users were told to run the following command to cure whatever problem they were having: sudo rm -rf /. Unfortunately for users who actually followed directions like these, this command actually erases the hard drive.

"Thus, there's precedent for being suspicious of shell scripts posted online, yet even so, many people will still run highly suspicious scripts without a care. Readers are encouraged to educate users about the dangers of this behaviour at every opportunity."

The executable file also asks for a password when first run, which may be seen as normal sudo behaviour, but is actually the malware stealing the user's password, which it subsequently stores on small data files named 'dumpdummy' on the infected Macs.

This, according to Reed, poses a "serious security threat", and given the file itself is not malicious likely won't be detected by most, if any, antivirus software. Removing the infection therefore won't necessarily remove the 'dumpdummy' files.

The analysts involved have not yet been able to determine the attackers' aims, but, given the fact the malware grants an attacker the ability to execute command-line code as the root user and that cryptocurrency users are being targeted, they are likely to be motivated by cryptocurrency theft.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/malware/33080/hackers-abuse-linkedin-dms-to-plant-malware
malware

Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Visit/antivirus/28144/best-antivirus
antivirus

Best antivirus for Windows 10

3 Sep 2019
Visit/security/malware/28083/the-five-best-free-malware-removal-tools
Security

Best free malware removal tools 2019

8 Mar 2019

Most Popular

Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019
Visit/business/business-strategy/354195/where-modernisation-and-sustainability-meet-a-tale-of-two
Sponsored

Where modernisation and sustainability meet: A tale of two benefits

25 Nov 2019