contador web Saltar al contenido

New “OSX / MaMi” malware attacks macOS DNS settings

Fasten your seat belts and check your safety, as a new malware it's loose.

As published by ZDNet, one new threatens macOS was found and reported in a Malwarebytes forum post. In it, the user says that he is helping someone else to get rid of something that he installed ?accidentally? and then O malware took over DNS the computer. He claims he tried to delete the 82.163.143.135 and 82.163.142.137 records from the DNS, but they always return.

After publication in the forum, developer Patrick Wardle decided to dissect the malware called "OSX / MaMi" and published his review. As Wardle stated, the malware there doesn't seem to be anything so sophisticated: it is an unsigned 64-bit Mach-O executable, which is in version 1.1.0, that is, quite new.

Unsigned MaMi Malware

The analysis is quite extensive, with several screenshots and information taken from the file that you can read on this page. Wardle concludes by talking about what the threat may entail:

OSX / MaMi is not particularly advanced, but it changes infected systems in a very unpleasant and persistent way. By installing a new root certificate and hijacking DNS servers, attackers can perform a variety of nefarious actions, such as attacks man-in-the-middle (perhaps to steal credentials or force ads).

The author of malware and how the threat manages to spread still remains an unknown for those who are analyzing it. Talking to another analyst, however, they came to the conclusion that this new threat could relate to another malware, from 2015, called ?DNSUnlocker?, which also affected the DNS settings of Windows systems.

To find out if you've been infected, go to DNS Advanced Network System Preferences and look for addresses 82.163.143.135 and 82.163.142.137. Also check in Access to Keys if you can find the cloudguard.me certificate. If you find both (or one of them), delete them. If it doesn't, the indication is that you completely reinstall macOS.

And, as always, never too much security: even if you haven't been infected, always have your macOS firewall enabled (in System Preferences Security and Privacy Firewall) and do not install any unknown applications on your machine.

via Cult of Mac