The researcher posted his findings on the Malwarebytes forum and none other than Patrick Wardle (an ex-NSA hacker) analyzed it, having this to say:
“OSX/MaMi isn’t particularly advanced – but does alter infected systems in rather nasty and persistent ways. By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle’ing traffic (perhaps to steal credentials, or inject ads) or to insert cryptocurrency mining scripts into web pages.”
In addition to that, hooks were found in the software that would eventually allow it to:
- Upload and download files
- Execute commands
- Generate simulated mouse events
- Take screenshots
And more, although at present, these features are not yet active, which points to the malware as being a piece of code still very much in development. Thomas Treed, Malwarebytes Staff, posts in the forum on January 31, 2018, “we’re no closer to finding the infection vector designed to run the malware in the first place. Nobody that I know of has found it yet.”
At present, there are no anti-malware or antivirus programs capable of detecting this new strain. That, of course, will change in short order. However, for the time being, the best way to verify whether or not your machine is infected is to go through “System Preferences” and into the terminal app to check your DNS settings.
Two values you don’t want to see there are: 22.214.171.124 or 126.96.36.199.
If you’d rather not check manually, Patrick Wardle has created a free, open-source firewall for macOS called “Lulu,” which you can download from GitHub. This program was designed to block suspicious traffic and will prevent OSX/MaMi from stealing anything from your system.
As threats go, this one is relatively minor, but it’s still early in the year, and whomever is behind this piece of code will no doubt be making improvements on it. Stay tuned.
On January 18, 2018 9:57 am | by Stefano Donadio | Spider-Mac reports, “In fact, Apple yesterday released Malware Removal Tool (MRT) 1.28 , an update of one of the security tools built into OS X El Capitan, macOS Sierra and High Sierra (the update is performed remotely by Apple, no action is required by the user, it is sufficient that the computer is connected to the Internet).” courtesy of Google Translate