{
	"id": "0e81c91d-7a13-422e-b52e-c869cbe74678",
	"created_at": "2026-04-06T00:19:39.1761Z",
	"updated_at": "2026-04-10T03:30:33.078281Z",
	"deleted_at": null,
	"sha1_hash": "d2258f95cc68d2b5b764e94065fc83afc2817c7b",
	"title": "Ay MaMi",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2649040,
	"plain_text": "Ay MaMi\r\nArchived: 2026-04-05 13:02:32 UTC\r\nAy MaMi\r\n› Analyzing a New macOS DNS Hijacker: OSX/MaMi\r\n01/11/2018\r\nlove these blog posts? support my tools \u0026 writing on patreon! Mahalo :)\r\n2018 is barely two weeks old, and already it looks like we've got new piece of macOS malware! Hooray :)\r\nWant to play along? I've shared both the malware's binary executable ('MaMi'), which can be downloaded here\r\n(password: infect3d).\r\nPlease don't infect yourself!\r\nBackground\r\nEarlier today (01/11), someone on MalwareBytes' forum created a post titled \"DNS Hijacked\":\r\nhttps://objective-see.com/blog/blog_0x26.html\r\nPage 1 of 20\n\nAs I hadn't seen an answer to MikeOfMaine', and as far as I'm aware there haven't been any recent macOS\r\nmalware that hijacks DNS settings - so I was intrigued! So without further adieu, let's dive in to analyzing (what\r\nI'm calling) OSX/MaMi!\r\nAnalysis\r\nThough currently I am unaware of the malware's infection vector, it is hosted on various sites such as\r\nhttp://regardens.info:\r\ncurl -L http://regardens.info/ \u003e MaMi\r\n% Total % Received % Xferd Average Speed Time Time Time Current\r\n Dload Upload Total Spent Left Speed\r\n100 178 0 178 0 0 381 0 --:--:-- --:--:-- --:--:-- 381\r\n100 552k 100 552k 0 0 314k 0 0:00:01 0:00:01 --:--:-- 581k\r\nMacBookPro:Downloads patrickw$ file MaMi\r\nMaMi: Mach-O 64-bit executable x86_64\r\nhttps://objective-see.com/blog/blog_0x26.html\r\nPage 2 of 20\n\nAs shown by WhatsYourSign, nothing too special about the file; it's an unsigned Mach-O 64-bit executable:\r\nAs is often the case with new malware, it's currently marked as 'clean' by all 59 engines on VirusTotal (this will\r\nhopefully change shortly as AV products start adding detections):\r\nAnd speaking of 'new' if we load the malware's binary in a disassembler, we find an app version of 1.1.0, which\r\n(due to such low version number), may seem to indicate the malware likely hasn't been around for too long.\r\nhttps://objective-see.com/blog/blog_0x26.html\r\nPage 3 of 20\n\n000000010003818f db \"AppVersion: %@\\nAppBuild: %@\", 0\r\n00000001000381ab db \"1.1.0\", 0\r\n00000001000381b1 db \"0\", 0\r\nBefore we dig further into the disassembly, let's dump the Objective-C class names and methods, as often this can\r\nallow us to quickly gain insight the malware's (likely) capabilities or at least guide our analysis.\r\nI use J. Levin's invaluable jtool utility to dump such info:\r\n$ ./jtool -d objc -v MaMi\r\n@interface AppDelegate\r\n...\r\n/* 2 - 0x100001e0b */ - setupCert;\r\n...\r\n/* 7 - 0x1000027bc */ - setupDNS;\r\n...\r\n/* 9 - 0x100002a97 */ - takeScreenshotAt:;\r\n...\r\n/* 22 - 0x1000049d8 */ - mouseClick:;\r\n...\r\n/* 24 - 0x100004ac5 */ - runAppleScript:;\r\n@interface SBMaMiSettings :\r\n...\r\n/* 2 - 0x10000518b */ - initMaMiSettings;\r\n...\r\n/* 9 - 0x100005385 */ - programArguments;\r\n...\r\n/* 11 - 0x1000053a7 */ - runAtLoad;\r\n...\r\n/* 25 - 0x10000548f */ - launchOnlyOnce;\r\n@interface SBNetwork :\r\n...\r\n/* 0 - 0x10000d2e5 */ + downloadFile:atPath:;\r\n/* 1 - 0x10000d4a8 */ + sendAsyncRequestWithUrls:andMethod:andBody:;\r\n@interface SBFileSystem : ?\r\n/* 0 - 0x10002407e */ + writeString:toPath:;\r\n...\r\n/* 8 - 0x1000247fb */ + runCmd:andPipeToCmd:withParams:andParams2:;\r\nhttps://objective-see.com/blog/blog_0x26.html\r\nPage 4 of 20\n\n/* 9 - 0x100024b07 */ + runCmd:withParams:;\r\n/* 10 - 0x100024b23 */ + runCmd:withParams:andUser:;\r\n@interface SBCryptoSystem : ?\r\n/* 0 - 0x100026731 */ + isAdmin; // Protocol 129824ad7\r\n/* 1 - 0x100026745 */ + elevatePrivilegesWithParams:; // Protocol 1298247ca\r\n/* 2 - 0x1000267aa */ + relaunchWithPrivilegesAndParams:;\r\nSome very interesting methods! Of course we'll continue our analysis to confirm, but seems this malware is\r\nindeed a 'dns hijacker' (method: setupDNS), with a host of other abilities such as:\r\ntaking screenshots\r\ngenerating simulated mouse events\r\nperhaps persists as a launch item (programArguments, runAtLoad)\r\ndownloading \u0026 uploading files\r\nexecuting commands\r\n...and more!\r\nJumping back to the disassemlby, within the application's main entrypoint (-[AppDelegate\r\napplicationDidFinishLaunching:]), we see a massive encrypted string that is passes to a setDefaultConfiguration:\r\nmethod:\r\n [SBConfigManager setDefaultConfiguration:@\"uZmgulcipekSbayTO9ByamTUu_zVtsflazc2Nsuqgq0dXko\r\n OzKMJMNTULoLpd-QV9qQy6VRluzRXqWOGscgheRvikLkPRzs1pJbey2QdaUSXUZCX-UNERrosul22NsW2vYpS7HQO4\r\n VG5l8qic3rSH_fAhxsBXpEe557eHIr245LUYcEIpemnvSPTZ_lNp2XwyOJjzcJWirKbKwtc3Q61pDwTzKvE0...\"];\r\nApplying some classified decryption methods I learned as an intern working in NSA's Cryptanalysis and\r\nExploitation Services (CES) group - it was trivial to decrypt this configuration data. I'm totally kidding - not about\r\nthe internship - but about how to decrypt. Just step over that method in a debugger (lldb) and the data is sitting\r\ndecrypted in memory:\r\n# lldb MaMi\r\n(lldb) target create \"MaMi\"\r\nCurrent executable set to 'MaMi' (x86_64).\r\nhttps://objective-see.com/blog/blog_0x26.html\r\nPage 5 of 20\n\n...\r\n(lldb) po $rax\r\n{\r\n defaults = {\r\n affiliate = \"\";\r\n build = 0;\r\n \"compilation_id\" = 0;\r\n \"confirmation_end_time\" = 0;\r\n \"confirmation_start_time\" = 0;\r\n \"download_complete_time\" = 0;\r\n \"download_location\" = \"\";\r\n \"download_retry_count\" = 0;\r\n \"download_start_time\" = 0;\r\n \"download_url\" = \"\";\r\n \"exception_id\" = 0;\r\n \"execute_location\" = \"\";\r\n \"execution_end_time\" = 0;\r\n \"execution_start_time\" = 0;\r\n \"exit_code\" = 0;\r\n \"external_id\" = 0;\r\n \"file_crc\" = 0;\r\n \"hardware_id\" = 0;\r\n \"hosts_active\" = \"\";\r\n \"installer_id\" = 0;\r\n \"is_admin\" = false;\r\n \"old_secondary_dns\" = \"\";\r\n \"os_build\" = 0;\r\n \"os_id\" = 0;\r\n \"product_id\" = 0;\r\n \"product_name\" = \"\";\r\n \"publisher_id\" = 0;\r\n \"register_date\" = 0;\r\n \"register_dsrc\" = 0;\r\n \"report_id\" = 0;\r\n \"run_args\" = \"\";\r\n \"screen_x\" = 0;\r\n \"screen_y\" = 0;\r\n \"secondary_dns\" = \"\";\r\n \"service_pack\" = 0;\r\n \"session_id\" = 0;\r\n status = 0;\r\n \"step_id\" = 0;\r\n tag = \"\";\r\n tracker = \"\";\r\n \"user_time\" = 0;\r\n \"validate_end_time\" = 0;\r\nhttps://objective-see.com/blog/blog_0x26.html\r\nPage 6 of 20\n\n\"validate_start_time\" = 0;\r\n version = 0;\r\n };\r\n dnsChanger = {\r\n affiliate = \"\";\r\n \"blacklist_dns\" = (\r\n );\r\n encrypt = true;\r\n \"external_id\" = 0;\r\n \"product_name\" = dnsChanger;\r\n \"publisher_id\" = 0;\r\n raw = true;\r\n reports = {\r\n \"dnsChanger_activity\" = {\r\n async = false;\r\n body = \"r={dnsChanger-\u003ereports-\u003ednsChanger_activity-\u003etemplate}\u0026rc={dnsChanger}\";\r\n \"connection_timeout\" = 5;\r\n domains = (\r\n \"honouncil.info\",\r\n \"gorensin.info\"\r\n );\r\n \"http_headers\" = (\r\n {\r\n name = \"Content-Type\";\r\n value = \"application/x-www-form-urlencoded\";\r\n },\r\n {\r\n name = \"User-Agent\";\r\n value = \"\";\r\n }\r\n );\r\n \"query_string\" = \"r={dnsChanger-\u003ereports-\u003ednsChanger_activity-\u003etemplate}\u0026rc={dnsChang\r\n \"request_method\" = 1;\r\n \"request_timeout\" = 5;\r\n \"retry_count\" = 2;\r\n \"send_port\" = 80;\r\n \"send_protocol\" = http;\r\n template = {\r\n affiliate = \"%affiliate%\";\r\n build = \"%build%\";\r\n \"compilation_id\" = \"%compilation_id%\";\r\n dns = {\r\n \"hosts_active\" = \"%hosts_active%\";\r\n \"hosts_config\" = \"[templates-\u003esecondary_dns]\";\r\n };\r\n encrypt = true;\r\n \"exception_id\" = \"%exception_id%\";\r\nhttps://objective-see.com/blog/blog_0x26.html\r\nPage 7 of 20\n\nexpand = true;\r\n \"external_id\" = \"%external_id%\";\r\n \"hardware_id\" = \"%hardware_id%\";\r\n \"is_admin\" = \"%is_admin%\";\r\n \"old_dns\" = {\r\n \"hosts_active\" = \"%hosts_active%\";\r\n \"hosts_config\" = \"[templates-\u003eold_secondary_dns]\";\r\n };\r\n \"os_build\" = \"%os_build%\";\r\n \"os_id\" = \"%os_id%\";\r\n \"product_name\" = \"%product_name%\";\r\n \"publisher_id\" = \"%publisher_id%\";\r\n \"register_date\" = \"%register_date%\";\r\n \"register_dsrc\" = \"%register_dsrc%\";\r\n \"report_id\" = \"%report_id%\";\r\n \"report_name\" = \"dnsChanger_activity\";\r\n \"report_type\" = 8;\r\n \"screen_x\" = \"%screen_x%\";\r\n \"screen_y\" = \"%screen_y%\";\r\n \"service_pack\" = \"%service_pack%\";\r\n \"session_id\" = \"%session_id%\";\r\n status = \"%status%\";\r\n tag = \"%tag%\";\r\n tracker = \"%tracker%\";\r\n \"user_time\" = \"%user_time%\";\r\n version = \"%version%\";\r\n };\r\n \"url_path\" = \"\";\r\n };\r\n \"time_report\" = {\r\n async = false;\r\n body = \"r={dnsChanger-\u003ereports-\u003etime_report-\u003etemplate}\u0026rc={dnsChanger}\";\r\n \"connection_timeout\" = 5;\r\n domains = (\r\n \"squartera.info\"\r\n );\r\n \"http_headers\" = (\r\n {\r\n name = \"Content-Type\";\r\n value = \"application/x-www-form-urlencoded\";\r\n },\r\n {\r\n name = \"User-Agent\";\r\n value = \"\";\r\n }\r\n );\r\n \"query_string\" = \"\";\r\nhttps://objective-see.com/blog/blog_0x26.html\r\nPage 8 of 20\n\n\"request_method\" = 2;\r\n \"request_timeout\" = 5;\r\n \"retry_count\" = 2;\r\n \"send_port\" = 80;\r\n \"send_protocol\" = http;\r\n template = {\r\n affiliate = \"%affiliate%\";\r\n build = \"%build%\";\r\n \"compilation_id\" = \"%compilation_id%\";\r\n dns = {\r\n \"hosts_active\" = \"%hosts_active%\";\r\n \"hosts_config\" = \"[templates-\u003esecondary_dns]\";\r\n };\r\n encrypt = true;\r\n \"exception_id\" = \"%exception_id%\";\r\n expand = true;\r\n \"external_id\" = \"%external_id%\";\r\n \"hardware_id\" = \"%hardware_id%\";\r\n \"is_admin\" = \"%is_admin%\";\r\n \"os_build\" = \"%os_build%\";\r\n \"os_id\" = \"%os_id%\";\r\n \"product_name\" = \"%product_name%\";\r\n \"publisher_id\" = \"%publisher_id%\";\r\n \"report_id\" = \"%report_id%\";\r\n \"report_name\" = \"time_request\";\r\n \"screen_x\" = \"%screen_x%\";\r\n \"screen_y\" = \"%screen_y%\";\r\n \"service_pack\" = \"%service_pack%\";\r\n \"session_id\" = \"%session_id%\";\r\n status = \"%status%\";\r\n tag = \"%tag%\";\r\n tracker = \"%tracker%\";\r\n \"user_time\" = \"%user_time%\";\r\n \"verification_id\" = \"%verification_id%\";\r\n version = \"%version%\";\r\n };\r\n \"url_path\" = \"\";\r\n };\r\n };\r\n \r\n \"setup_dns\" = (\r\n \"82.163.143.135\",\r\n \"82.163.142.137\"\r\n );\r\n \r\n \"shared_storage\" = \"/Users/%USER_NAME%/Library/Application Support\";\r\n \"storage_timeout\" = 120;\r\nhttps://objective-see.com/blog/blog_0x26.html\r\nPage 9 of 20\n\ntag = \"\";\r\n \"timeout_dns\" = {\r\n \"high_timeout\" = 1;\r\n \"low_timeout\" = \"0.3\";\r\n \"medium_timeout\" = \"0.5\";\r\n };\r\n tracker = \"\";\r\n };\r\n \"installer_id\" = 1359747970602718687;\r\n \"report_templates\" = {\r\n \"report_config\" = {\r\n async = false;\r\n body = \"\";\r\n \"connection_timeout\" = 5;\r\n domains = (\r\n \"domain1.com\",\r\n \"domain2.com\"\r\n );\r\n \"http_headers\" = (\r\n {\r\n name = \"Content-Type\";\r\n value = \"application/x-www-form-urlencoded\";\r\n },\r\n {\r\n name = \"User-Agent\";\r\n value = \"\";\r\n }\r\n );\r\n \"query_string\" = \"\";\r\n \"request_method\" = 2;\r\n \"request_timeout\" = 5;\r\n \"retry_count\" = 2;\r\n \"send_port\" = 80;\r\n \"send_protocol\" = http;\r\n };\r\n \"report_config2\" = {\r\n async = true;\r\n body = \"\";\r\n \"connection_timeout\" = 5;\r\n domains = (\r\n \"domain1.com\",\r\n \"domain2.com\"\r\n );\r\n \"http_headers\" = (\r\n {\r\n name = \"Content-Type\";\r\n value = \"application/x-www-form-urlencoded\";\r\nhttps://objective-see.com/blog/blog_0x26.html\r\nPage 10 of 20\n\n},\r\n {\r\n name = \"User-Agent\";\r\n value = \"\";\r\n }\r\n );\r\n \"query_string\" = \"\";\r\n \"request_method\" = 2;\r\n \"request_timeout\" = 5;\r\n \"retry_count\" = 2;\r\n \"send_port\" = 80;\r\n \"send_protocol\" = http;\r\n \"url_path\" = \"\";\r\n };\r\n \"report_template1\" = {\r\n affiliate = \"%affiliate%\";\r\n build = \"%build%\";\r\n \"compilation_id\" = \"%compilation_id%\";\r\n dns = {\r\n \"hosts_active\" = \"%hosts_active%\";\r\n \"hosts_config\" = \"[templates-\u003esecondary_dns]\";\r\n };\r\n \"exception_id\" = \"%exception_id%\";\r\n \"external_id\" = \"%external_id%\";\r\n \"hardware_id\" = \"%hardware_id%\";\r\n \"is_admin\" = \"%is_admin%\";\r\n \"os_build\" = \"%os_build%\";\r\n \"os_id\" = \"%os_id%\";\r\n \"product_name\" = \"%product_name%\";\r\n \"publisher_id\" = \"%publisher_id%\";\r\n \"report_id\" = \"%report_id%\";\r\n \"screen_x\" = \"%screen_x%\";\r\n \"screen_y\" = \"%screen_y%\";\r\n \"service_pack\" = \"%service_pack%\";\r\n \"session_id\" = \"%session_id%\";\r\n status = \"%status%\";\r\n tag = \"%tag%\";\r\n tracker = \"%tracker%\";\r\n \"user_time\" = \"%user_time%\";\r\n version = \"%version%\";\r\n };\r\n \"report_template2\" = {\r\n affiliate = \"%affiliate%\";\r\n build = \"%build%\";\r\n \"compilation_id\" = \"%compilation_id%\";\r\n dns = {\r\n \"hosts_active\" = \"%hosts_active%\";\r\nhttps://objective-see.com/blog/blog_0x26.html\r\nPage 11 of 20\n\n\"hosts_config\" = \"[templates-\u003esecondary_dns]\";\r\n };\r\n \"exception_id\" = \"%exception_id%\";\r\n \"external_id\" = \"%external_id%\";\r\n \"hardware_id\" = \"%hardware_id%\";\r\n \"is_admin\" = \"%is_admin%\";\r\n \"os_build\" = \"%os_build%\";\r\n \"os_id\" = \"%os_id%\";\r\n \"product_name\" = \"%product_name%\";\r\n \"publisher_id\" = \"%publisher_id%\";\r\n \"register_date\" = \"%register_date%\";\r\n \"register_dsrc\" = \"%register_dsrc%\";\r\n \"report_id\" = \"%report_id%\";\r\n \"screen_x\" = \"%screen_x%\";\r\n \"screen_y\" = \"%screen_y%\";\r\n \"service_pack\" = \"%service_pack%\";\r\n \"session_id\" = \"%session_id%\";\r\n status = \"%status%\";\r\n tag = \"%tag%\";\r\n tracker = \"%tracker%\";\r\n \"user_time\" = \"%user_time%\";\r\n version = \"%version%\";\r\n };\r\n };\r\n templates = {\r\n \"old_secondary_dns\" = {\r\n \"fill_template\" = \"%old_secondary_dns%\";\r\n \"fill_type\" = string;\r\n };\r\n \"secondary_dns\" = {\r\n \"fill_template\" = \"%secondary_dns%\";\r\n \"fill_type\" = string;\r\n };\r\n };\r\n version = 1;\r\n}\r\nOk, that's a lot of configuration data! The most interesting part is probably the 'setup_dns' array:\r\n \"setup_dns\" = (\r\n \"82.163.143.135\",\r\n \"82.163.142.137\"\r\n );\r\nhttps://objective-see.com/blog/blog_0x26.html\r\nPage 12 of 20\n\n...we'll see those DNS addresses used shortly!\r\nIn lldb we can set a breakpoints on methods of interest such as setupCert and setupDNS methods;\r\n# lldb MaMi\r\n(lldb) b -[AppDelegate setupCert]\r\nBreakpoint 1: where = dcdata`-[AppDelegate setupCert], address = 0x0000000100001e0b\r\n(lldb) b -[AppDelegate setupDNS]\r\nBreakpoint 2: where = dcdata`-[AppDelegate setupDNS], address = 0x00000001000027bc\r\nOnce these breakpoints are hit, we can step thru the each instruction, or as I had fired up ProcInfo, the open-source\r\nprocess monitor I recently wrote (on github: ProcInfo) just let the malware run to see what it does. I'm voting for\r\nthe latter as it's almost midnight.\r\n# ./procInfo\r\nstarting process monitor\r\nprocess monitor enabled...\r\npid: 1294\r\npath: /usr/bin/security\r\nargs: (\r\n \"/usr/bin/security\",\r\n \"add-trusted-cert\",\r\n \"-d\",\r\n \"-r\",\r\n trustRoot,\r\n \"-k\",\r\n \"/Library/Keychains/System.keychain\",\r\n \"/Users/user/Desktop/dcdata.bin\"\r\n)\r\nFirst we see the malware invoking the security tool to install a new certificate (dcdata.bin) it's downloaded from\r\nthe internet. Let's take a peak at this cert:\r\n$ openssl x509 -inform der -in dcdata.bin -out dcdata.pem\r\n$ openssl x509 -in dcdata.pem -text\r\nCertificate:\r\n Data:\r\n Version: 3 (0x2)\r\n Serial Number: b6:e1:ab:f3:8b:9a:b4:1a\r\nhttps://objective-see.com/blog/blog_0x26.html\r\nPage 13 of 20\n\nSignature Algorithm: sha1WithRSAEncryption\r\n Issuer: C=IL, ST=Gush Dan, L=Hertzilia, O=GreenTeam Internet, Ltd.,\r\n OU=Web, CN=cloudguard.me\r\n Validity\r\n Not Before: Jul 23 17:25:15 2014 GMT\r\n Not After : Jul 15 17:25:15 2044 GMT\r\n Subject: C=IL, ST=Gush Dan, L=Hertzilia, O=GreenTeam Internet, Ltd.,\r\n OU=Web, CN=cloudguard.me\r\n ...\r\n$ openssl x509 -in dcdata.pem -fingerprint -noout\r\nSHA1 Fingerprint=26:D9:E6:07:FF:F0:C5:8C:78:44:B4:7F:F8:B6:E0:79:E5:A2:22:0E\r\nWe can also view the (now installed) certificate via the 'Keychain Access' app. It's in the System keychain as a\r\nroot certificate authority....MitM anybody?!\r\nBack to process monitoring:\r\nhttps://objective-see.com/blog/blog_0x26.html\r\nPage 14 of 20\n\n# ./procInfo\r\nprocess start:\r\npid: 1177\r\npath: /bin/cp\r\nargs: (\r\n \"/bin/cp\",\r\n \"/Library/Preferences/SystemConfiguration/preferences.plist\",\r\n \"/Library/Preferences/SystemConfiguration/preferences.plist.old\"\r\n)\r\nInteresting! It's mucking with the SystemConfiguration/preferences.plist file. What's in there? If you guessed DNS\r\nsettings - you're right!\r\nAnd remember the two DNS addresses from the decrypted config data? 82.163.143.135 and 82.163.142.137,\r\nthey've been added to the plist file:\r\n$ grep -B 4 -A 2 82. /Library/Preferences/SystemConfiguration/preferences.plist\r\nDNS\r\nServerAddresses\r\n82.163.143.135\r\n82.163.142.137\r\nIf you're more inclined to use the UI, you can see these changes via the System Preference app (Network pane):\r\nhttps://objective-see.com/blog/blog_0x26.html\r\nPage 15 of 20\n\nSo, the DNS settings on the infected host have been hijacked as well.\nWhat about the other interesting methods? (e.g. takeScreenshotAt, mouseClick, runAppleScript). We in my brief\nreversing/analysis/debugging session I didn't see them being executed. Moreover, though the malware has an\nembedded launch item plist it didn't attempt to persist (though as it's altered system settings, it really doesn't need\nto hang around - in fact it does self-delete). When I coerced the malware to execute the method that modifed the\nlaunch item plist, initMaMiSettings, the value it configured in the ProgramArguments key - which tells the OS\nwhat to persistently execute - was simply: ls -la \u0026\u0026 sleep 28 \u0026\u0026 ls:\n# lldb MaMi\n(lldb) po $rax\n{\n AbandonProcessGroup = \"AbandonProcessGroup\";\n FooterStage = \"\";\n HeaderStage = \"?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?\u003e \";\n KeepAlive = \"KeepAlive\";\n LabelStage = \"Label%Label%\";\nhttps://objective-see.com/blog/blog_0x26.html\nPage 16 of 20\n\nProgramArguments = \"ProgramArguments/bin/sh-c%ProgramArguments%\";\n RunAtLoad = \"RunAtLoad\";\n ...\n}\n(lldb) po %$rsi\nls -la \u0026\u0026 sleep 28 \u0026\u0026 ls\nPerhaps in order for the methods to be executed or for the malware to be persisted, requires some attack-supplied\ninput, or other preconditions that just weren't met in my VM. I'll keep digging!\n(Windows) Relatives\nAfter chatting with @noarfromspace, about this malware, he dug up an interesting article from 2015. Titled, \"The\nmystery of 82.163.143.172 and 82.163.142.174\", the article dicusses a piece of Windows malware named\nDNSUnlocker that also hijacked DNS settings on Windows systems. This DNSUnlocker malware seems closely\nrelated to OSX/MaMi for a few reasons:\nDNS servers:\nDNSUnlocker, hijacks Windows victim's DNS servers to: 82.163.143.172 and 82.163.142.174\nOSX/MaMi, hijacks Mac victim's DNS servers to: 82.163.143.135 and 82.163.142.137\nCertificate:\nThe certifcate installed by both malware specimens is the same:\nClearly DNSUnlocker, while older (circa 2015) and Windows only, is closely related to OSX/MaMi. If I had to\nguess, I'd say it's likely OSX/MaMi is a (fully re-written?) macOS version of DNSUnlocker, with a lot of extra\nmacOS-specific evilness.\nhttps://objective-see.com/blog/blog_0x26.html\nPage 17 of 20\n\nConclusions\r\nOk, that's a wrap. OSX/MaMi isn't particular advanced - but does alter infected systems in rather nasty and\r\npersistent ways. By installing a new root certifcate and hijacking the DNS servers, the attackers can perform a\r\nvariety of nefarious actions such as man-in-the-middle'ing traffic (perhaps to steal credentials, or inject ads).\r\nLet's end with some Q\u0026A!\r\nQ: How do I get infected?\r\nA: At this time, this is unknown. However, it's likely the attacker are using (rather lame) methods such as\r\nmalicious email, web-based fake security alerts/popups, or social-engineering type attacks to target mac users\r\nQ: How do I know if I'm infected?\r\nA: Check your DNS settings, looking to see if they've been set to 82.163.143.135 and 82.163.142.137. You can\r\ncheck via the terminal (e.g. networksetup -getdnsservers Wi-Fi), or via the System Preferences app (Network\r\npane). Also check for malicious cloudguard.me certifcate, which if installed, will appear in the System Keychain:\r\nQ: How do I disinfect myself?\r\nA: Often malware can install other malware, or allow an remote attacker to do what ever they want. Thus if you\r\nwere/are infected it's suggested you fully re-install macOS. However, you can probably get away with simply\r\nresetting the DNS servers and deleting the malicious certifcate.\r\nRemove DNS Servers:\r\nOpen the System Preferences Application, click the 'Network' Icon, then the 'Advanced' button, and finally\r\nthe 'DNS' button. If infected, you'll see the malicous DNS servers (82.163.143.135 and 82.163.142.137):\r\nhttps://objective-see.com/blog/blog_0x26.html\r\nPage 18 of 20\n\nSelected each server, then click the '-' button to delete.\r\nRemove Certificate:\r\nOpen the Keychain Access Application, click on 'System' in the Keychains (top left). If infected you'll see\r\nthe malicious certificate (cloudguard.me). Right click on the certifitcate and select 'Delete' to remove it:\r\nhttps://objective-see.com/blog/blog_0x26.html\r\nPage 19 of 20\n\nQ: Will my AV product protect me?\r\nA: Evenutally. But for now, it does not appear that any will. I'd recomment a 3rd-party tool such as firewall that\r\ncan detect \u0026 block outgoing traffic. I'm currently working on a free open-source firewall named 'LuLu' that will\r\ndetect OSX/MaMi's network traffic:\r\nQ: Did I discover this malware?\r\nA: No, a good friend brought it to my attention. I just happen to blog about things such as macOS malware!\r\nQ: Why the name, OSX/MaMi\r\nA: Since there are already several (IMHO unrelated) malware specimens that perform DNS hijackering (that are\r\nnamed 'DNSChanger', etc), I decided to call is OSX/MaMi due to a core class the malware named:\r\n'SBMaMiSettings'\r\nlove these blog posts \u0026 tools? you can support them via patreon! Mahalo :)\r\nSource: https://objective-see.com/blog/blog_0x26.html\r\nhttps://objective-see.com/blog/blog_0x26.html\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://objective-see.com/blog/blog_0x26.html"
	],
	"report_names": [
		"blog_0x26.html"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434779,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d2258f95cc68d2b5b764e94065fc83afc2817c7b.pdf",
		"text": "https://archive.orkl.eu/d2258f95cc68d2b5b764e94065fc83afc2817c7b.txt",
		"img": "https://archive.orkl.eu/d2258f95cc68d2b5b764e94065fc83afc2817c7b.jpg"
	}
}