DNS-Hijacking Malware Bypasses Antivirus and Infects Apple MacOS

Here’s a bit of a bad news for Mac users; there are reports about fresh malware that has successfully bypassed antivirus software and infected Mac OS. This malware, it’s reported, has managed to snoop on Mac OS users’ internet traffic as well.

This new malware infection was detected by a Malwarebytes forum user who uses the name MikeOfMaine; he had chanced to discover the presence of this malware when he noted that there was something that changed the DNS of one of his friends.

This is what MikeOfMaine wrote, in the forum– “I am helping a fellow teacher. She accidentally installed something and her DNS now appears to be hacked…Malwarebytes found “MyCoupon” but that was all. I manually removed the offending DNS entries (82.163.143.135 & 82.163.142.137) but they keep coming back. I don’t see any extensions, startup items, or other obvious signs of what is going wrong…I tried to generate a report, but there is no “Support” option under help on the version on her laptop.”

Experts feel that this Mac malware is akin to the DNSChanger malware which had targeted many Mac machines in 2012; this malware changed the DNS server setting on the infected system and routes traffic through the hacker’s server, thereby helping the hacker snoop on the victim’s internet traffic.

This new Mac OS malware has been dubbed ‘OSX/MaMi’ by Patrick Wardle from Objective-See; Patrick Wardle, who calls himself ” a passionate Mac user and security researcher who’s drank the ‘Apple juice'”, has investigated the malware in detail following MikeOfMaine’s forum post about having detected the malware.

Patrick Wardle has written a blog on the malware; the blog post begins with the comment- “2018 is barely two weeks old, and already it looks like we’ve got new piece of macOS malware! Hooray :)”

Then he goes on to speak about the post in the Malwarebytes, which had prompted him to study the malware. He gives a detailed analysis of the malware. He has explained that the malware, which is a DNS hacker, invokes security tools to install a new root certificate and tries intercepting encrypted communications and unprotected data.

Patrick Wardle writes- “OSX/MaMi isn’t particular advanced – but does alter infected systems in rather nasty and persistent ways. By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle’ing traffic (perhaps to steal credentials, or inject ads)”. He explains that at the time that he had authored the blog, it was unknown as to how the infection happens. He speculates that perhaps the hackers are using methods like “…malicious email, web-based fake security alerts/popups, or social-engineering type attacks to target mac users”.

Patrick Wardle explains how a Mac user can check and find out if he’s infected or not- “Check your DNS settings, looking to see if they’ve been set to 82.163.143.135 and 82.163.142.137. You can check via the terminal (e.g. networksetup -getdnsservers Wi-Fi), or via the System Preferences app (Network pane). Also check for malicious cloudguard.me certificate, which if installed, will appear in the System Keychain”.

A user can disinfect himself from this malware by fully re-installing macOS or probably by resetting the DNS servers and deleting the malicious certificate, says Wardle.