[ad_1]
Attackers target cryptocurrency users with new malware designed for MacOS by having victims in Slack or Discord groups infected with malicious script.
Posing as group administrators on crypto-currency forums a script, and encouraging users to copy and paste in a Terminal window on their Mac, disguised as helpful hints.
The command, once entered, downloads a payload of 34 megabytes from a remote server and grants a backdoor access in the infected one. machine, according to Remco Verhoef of SANS, who first discovered the threat.
Later dubbed OSX.Dummy by Mac expert malware expert Patrick Wardle for a host of reasons, the infection is able to bypbad Gatekeeper, an extra layer of security on macOS X, if activated directly by the terminal commands, despite the fact that it is an unsigned code – which means that it should, in theory, be immediately detected.
Among Wardle's observations, he noted "the method of infection is stupid, the mbadive size of the binary is stupid, the persistence mechanism is lame (and therefore also silly)" and "the abilities are rather limited (and therefore rather stupid) ".
The big binary attempts to encrypt its communication with the origin server and, once executed, uses sudo to elevate its rights to the infected machine. From there, it seems to just create a shell script file and a launch daemon to make it work.
Although the malware is not particularly exceptional, according to Thomas Reed, director of Macware and Malwarebytes mobile, the method The distribution is itself interesting, given the frequency with which people on the forums give instructions involving the execution of terminal commands line by line.
"There were other cases where scripts were really malicious," he wrote on the cybersecurity company's official blog.
"The best known of all was an infamous trick where users were asked to run the following command to solve their problem: sudo rm – unfortunately, for the users who actually followed directions such as these, this command actually erases the hard drive.
"So, there is a precedent to be wary of shell scripts posted online, but still, many people will continue to run highly executable scripts. suspects without worry. Readers are encouraged to educate users about the dangers of this behavior on every occasion. "
The executable file also asks for a pbadword on first run, which can be seen as normal sudo. Behavior, which it then stores on small data files called" dumpdummy "on the infected Macs.
This, according to Reed, poses a "serious security threat", and since the file itself is not malicious, it will not be detected by the deletion of it. ; infection will not necessarily delete the files "dumpdummy".
The badysts involved have not yet been able to determine the targets of the attackers, but, since the malware attacking the ability to run from the command-line code as a root user and that cryptocurrency users are targeted, they are likely to be motivated by cryptocurrency theft.
Source link