Security researchers have discovered new malware targeting Mac owners discussing cryptocurrencies on Slack and Discord chat websites.
According to security researcher Remco Verhoef, multiple MacOS malware attacks, originating within crypto related Slack or Discord chats, have been observed. Hackers have been infiltrating these groups pretending to be administrators or key people on these websites.
In a Sans Institute blog post, Verhoef said that small snippets are being shared, resulting in downloading and executing a malicious binary. When the code is installed it attempts to connect to a command and control (C&C) server owned by the attackers. If the connection to the C&C server succeeds, hackers can then remotely access the Mac and run code on it.
This malware also steals user passwords and stores these on the local machine.
“CrownCloud, a German-based provider is the owner of the block of 22.214.171.124 and the server appears to be located in the Netherlands,” said Verhoef.
According to a blog post by another researcher, Patrick Wardle, chief research officer and founder of Digita Security, the infection method of the malware, he has called OSX.Dummy, is “dumb”.
“Apparently attackers are asking users to infect themselves,” he said. He also lambasted the size of the malware, coming in at 34MB and also claimed that the persistence mechanism is “lame”, as its places code into the Launch Daemons directory.
“The capabilities are rather limited (and thus rather dumb), it's trivial to detect at every step (that dumb)...and finally, the malware saves the user's password to dumpdummy.”
“I guess the take away here is (yet again) the built-in macOS malware mitigations should never be viewed as a panacea.”
Dr Johannes Ullrich, dean of Research at SANS Institute of Technology, told SC Media UK that users need to be careful what software they install. “This is probably the number one defence in this particular case, since anti-malware does not protect users until a signature is added to it. OS X tools like “LittleSnitch” can also warn the user when new software like this establishes outbound network connections,” he said.
Ullrich added that in enterprise environments, inspection of TLS traffic via special proxies or next generation firewalls may help to defend against this specific threat. But in general, up-to-date anti malware protection is obviously important, and for Macs in particular, tight “Gatekeeper” policies that prevent the install of unapproved software.
“For Macs, the open source utility “Santa” can also be used to monitor the install of unapproved software,” he said.
Alex Hinchliffe, threat intelligence analyst at Unit 42, Palo Alto Networks, told SC Media UK that in this case, the malware was conspicuous and crude; however, that tends to be the case in earlier versions of just about any software, including those which are malicious.
“We should expect such attacks to improve over time. As for organisations, they have some benefits in that they can typically control their network and environment more tightly than home users. In-house instances of such chat groups therefore can be rigorously checked for membership and the content being shared. Multi-factor authentication should be used to ensure that leaked or stolen credentials do not allow simply anyone to join an organisations chat room,” he said.