Casa > cibernético Notícias > Crypto Investors on Slack and Discord: Cuidado com o OSX.Dummy Malware
CYBER NEWS

Os investidores cripto sobre Slack e Discórdia: Cuidado com o OSX.Dummy Malware

Os pesquisadores de segurança recentemente descobri como os atacantes estão usando MacOS malware conhecido como OSX.Dummy aos investidores alvo criptomoeda usando o Slack e plataformas de bate-papo desacordo. As plataformas de bate-papo são abusadas por cibercriminosos que está representando os administradores para usuários truque.

Story relacionado: 15-Year-Old MacOS Bug em Leads IOHIDFamily ao comprometimento do sistema completa

The way the malware is distributing isn’t that sophisticated but compromised systems remain at risk of remote code execution which may lead to various malicious outcomes. According to Digita Security, upon a successful connection to the attackers’ command and control servers, they are able to arbitrarily execute command on infected hosts at the root level.

OSX.Dummy, Slack and Discord Chat Platforms – How Attacks Happen

The first researcher to pick up the OSX.Dummy malware was Remco Verhoef who shared his discovery with the SANS Infosec Handlers Diary Blog. Isto é o que ele disse:

Over the previous days we’ve seen multiple MacOS malware attacks, originating within crypto related Slack or Discord chats groups by impersonating admins or key people. Small snippets are shared, resulting in downloading and executing a malicious binary.

Users are tricked to execute a script which then downloads OSX.Dummy malware using cURL. The downloaded file is saved to the macOS/tmp/script directory and is then executed. “The file is a large mach064 binary (34M), rating a perfect score of 0/60 no VirusTotal,”Disse o pesquisador. The binary of the malware is unsigned and is obviously able to bypass macOS Gatekeeper which should prevent unsigned software from being downloaded and executed.

Como isso é possível? If the user is downloading and running a binary using terminal commands, Gatekeeper isn’t activated and the unsigned binary is executed without a problem. This simply means that the built-in protections and mitigations of macOS are not sufficient enough and shouldn’t be relied upon blindly, nota pesquisadores.




How is OSX.Dummy chaining permissions to root?

Also another good questions concerning macOS security. This happens while the binary is executed, when a macOS sudo command changes the malware’s permissions to root via Terminal. This requires the user to enter their password in the terminal. Conforme explicado pela Apple, the execution of a sudo command in Terminal requires the user to be logged in with an admin account that is password-protected.

Quando isso acabar, OSX.Dummy drops code in various system directories such as “/Library/LaunchDaemons/com.startup.plist”, thus making OSX.Dummy’s presence on the system quite persistent.

Verhoef, the researcher who first reported the malware infections also added that:

The bash script (which runs a python command) tries to connect to 185[.]243[.]115[.]230 at port 1337 within a loop and the python code creates a reverse shell. To ensure execution during startup it creates a launch daemon. At the moment I was testing this, the reverse shell failed to connect.

Story relacionado: OSX.Coinminer Trojan – How to Detect and Remove from Your Macbook

Why was the malware dubbed OSX.Dummy?

Because one of the directories where the victim’s password is dumped is called “/tmp/dumpdummy”. Another reason is that the infection channel is rather dull and unsophisticated and the size of the binary is also big (and dumb!) as well as the persistence mechanism and overall capabilities. Não obstante, upon a successful attack the malware can connect to its command and control server and take control of the compromised system, making it not that dumb after all.

Milena Dimitrova

Um escritor inspirado e gerente de conteúdo que está com SensorsTechForum desde o início do projeto. Um profissional com 10+ anos de experiência na criação de conteúdo envolvente. Focada na privacidade do usuário e desenvolvimento de malware, ela acredita fortemente em um mundo onde a segurança cibernética desempenha um papel central. Se o senso comum não faz sentido, ela vai estar lá para tomar notas. Essas notas podem mais tarde se transformar em artigos! Siga Milena @Milenyim

mais Posts

Me siga:
Twitter

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

Compartilhar no Facebook Compartilhar
Carregando...
Compartilhar no Twitter chilrear
Carregando...
Compartilhar no Google Plus Compartilhar
Carregando...
Partilhar no Linkedin Compartilhar
Carregando...
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Carregando...
Partilhar no StumbleUpon Compartilhar
Carregando...