Malware, Vulnerability Management

OS X MaMi DNS hijacker spotted, analyzed

An independent security researcher has done a quick analysis of a new Mac OS X DNS hijacker that is closely related to a previously uncovered Windows-only version that is capable of allowing man-in-the-middle attacks.

Patrick Waddle, blogging at Objective-see.com, has dubbed the malware MaMi and believes it is a fully rewritten macOS version of DNSUnlocker tweaked for macOS. The malware, first mentioned in a Malwarebytes forum, is likely quite new as it is not yet being marked as malignant by VirusTotal, but once installed is capable of taking screenshots, generating simulated mouse events, perhaps persists as a launch item, downloading and uploading files and executing commands.

“OSX/MaMi isn't particular advanced - but does alter infected systems in rather nasty and persistent ways. By installing a new root certifcate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle'ing traffic (perhaps to steal credentials, or inject ads),” Waddle wrote.

The injection vector is not known and the best way to, check for infection to see if the computer's DNS settings have been set to 82.163.143.135 and 82.163.142.137, the researcher said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.