MacOS hit by DNS Hijacker called MaMi

By : |January 17, 2018 0

Way back in 2012, millions of Windows PC were affected by DNSChanger malware and now, in 2018 the same malware has been observed for MacOS. The threat was first discovered by Patrick Wardel and has been named as MaMi.

Similar to DNSChanger, MaMi’s infection vector involves various recently registered domains from where it is downloaded and subsequently installed. Post infection, MaMi forcibly changes the DNS entry and also installs a root certificate. Furthermore, it is highly persistent and reverts back to malicious DNS entries, when victims manually try to change it.

How does MaMi function?

                                 

___________________________________________________________________________________________________________

* Installs a local certificate – Installation of root certificate allows the threat to perform an effective MITM attack, which may range from stealing logon credentials to ad insertions.
* Set up custom DNS settings – The DNS IP added by MaMi are under the control of the criminals and they may resolve every request by the victims and redirect them to malicious domains or Advertisements controlled by the criminals.
* Take screenshots – of the desktop
* Run AppleScripts – Ability to execute script allows the Trojan to execute tasks as per the defined payload
* Get OS launch persistence – At system startup load itself
* Download and upload files – allows to steal sensitive files and in all probability download additional modules / scripts

“OSX/MaMi isn’t particular advanced – but does alter infected systems in rather nasty and persistent ways,” Wardle says. “By installing a new root certifcate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle’ing traffic (perhaps to steal credentials, or inject ads).”

But Wardle fears the malware could evolve pretty quick and might have more secrets hidden in its code. “Perhaps in order for the [more intrusive] methods [taking screenshots, executing commands] to be executed or for the malware to be persisted, requires some attack-supplied input, or other preconditions that just weren’t met in my VM. I’ll keep digging!,” Wardle said.

It’s easy to tell if you’ve been hit with OSX/MaMi by checking the DNS entries on your Mac. You can do that by going to Apple menu > System Preferences, Then do this:

-Select Network

-Click Advanced

-Choose the DNS tab

-Look for 82.163.143.135 and 82.163.142.137

If you see either of those IP addresses your Mac has been hit with OSX/MaMi. It’s unclear right now which files need to be removed from your Mac to remove the threat. Changing the DNS entries to something else, like Google’s 8.8.8.8, seems to fix the problem for now.

As always, you can minimize the risk of installing the malware by avoiding websites you don’t trust, not clicking on pop-ups or other alerts on webpages, and not clicking links in email messages from people you don’t know.

No Comments so fars

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.