An independent security researcher has done a quick analysis of a new Mac OS X DNS hijacker that is closely related to a previously uncovered Windows-only version that is capable of allowing man-in-the-middle attacks.
Patrick Waddle, blogging at Objective-see.com, has dubbed the malware MaMi and believes it is a fully rewritten macOS version of DNSUnlocker tweaked for macOS. The malware, first mentioned in a Malwarebytes forum, is likely quite new as it is not yet being marked as malignant by VirusTotal, but once installed is capable of taking screenshots, generating simulated mouse events, perhaps persists as a launch item, downloading and uploading files and executing commands.
“OSX/MaMi isn’t particular advanced – but does alter infected systems in rather nasty and persistent ways. By installing a new root certifcate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle’ing traffic (perhaps to steal credentials, or inject ads),” Waddle wrote.
The injection vector is not known and the best way to, check for infection to see if the computer’s DNS settings have been set to 126.96.36.199 and 188.8.131.52, the researcher said.