MaMi-The First Mac Malware of 2018

0
106

The new year is the time for new beginnings and learning experiences! It seems like this thought hackers have decided to break new grounds with a nasty piece of undetectable malware. Patrick Wardle an Apple-centric security researcher has spotted a new threat targeting Mac OSX dubbed MaMi malware. This threat looks like the popular DNS changer malware that infected millions of systems in 2012. DNS changer performed the attack by changing DNS settings on compromised machines. Allowing an attacker to direct internet traffic to a nasty server and catch confidential information.

This MaMi malware designed to hijack DNS settings from Mac OS devices and they steal personal and confidential user information without detecting. It signs Mac-O-64 bit executable.

digitalworldhub

How the Malware Spotted?

The sample of MaMi malware obtained after a user reported about an infection on Malwarebytes forum. It mentioned that when the Mac infected as DNS server was resetting automatically to 82.163.143.138 and 82.163.142.137. When the threat discover it found that it goes undetected on all engines at VirusTotal meaning it is very advanced.

How Does the Malicious Code Work?

The malicious code installs a new root certificate and hijacks the DNS server that helps an attacker to perform the number of nefarious activities like a man in the middle attack to steal personal information or inject ads.

MaMi is a DNS hijacker and performs following actions, but many of them are not available  in current version 1.1.1:

Taking screenshots
Fakes mouse movements
Downloads and uploads files
Executes commands.

The nasty code discovers on various sites but the source or distribution channel is still unknown. The developer using this method to infection emails, fake security alerts, pop-ups on websites and social engineering attacks.

How to Check if Your Mac OS Infects?

To check if your machine infects, go to the terminal via System Preferences and check DNS servers code if they are set to 82.163.148.135 and 82.163.142.137 then it is infected.

How to Stay Protected?

Now anti-virus software cannot detect malware, for this reason, you need to be extra cautious. To stay protected keep following points in mind:

Don’t use a 3rd party tool.
Can use free open source firewall LULU, created by the researcher who detected the threat.
plz, Avoid enabling flash player requests.
Don’t download third-party product that mentions they can secure your system.