It's official, the first macOS malware of 2018 is here. Discovered by an independent security researcher and dubbed "OSX/MaMi," the code is functionally similar to DNSChanger malware.
The researcher posted his findings on the Malwarebytes forum and none other than Patrick Wardle (an ex-NSA hacker) analyzed it, having this to say:
"OSX/MaMi isn't particularly advanced - but does alter infected systems in rather nasty and persistent ways. By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle'ing traffic (perhaps to steal credentials, or inject ads) or to insert cryptocurrency mining scripts into web pages."
In addition to that, hooks were found in the software that would eventually allow it to:
- Upload and download files
- Execute commands
- Generate simulated mouse events
- Take screenshots
And more, although at present, these features are not yet active, which points to the malware as being a piece of code still very much in development.
At present, there are no anti-malware or antivirus programs capable of detecting this new strain. That, of course, will change in short order. However, for the time being, the best way to verify whether or not your machine is infected is to go through "System Preferences" and into the terminal app to check your DNS settings.
Two values you don't want to see there are: 220.127.116.11 or 18.104.22.168.
If you'd rather not check manually, Patrick Wardle has created a free, open-source firewall for macOS called "Lulu," which you can download from GitHub. This program was designed to block suspicious traffic and will prevent OSX/MaMi from stealing anything from your system.
As threats go, this one is relatively minor, but it's still early in the year, and whomever is behind this piece of code will no doubt be making improvements on it. Stay tuned.