Security researchers recently found out how attackers are using macOS malware known as OSX.Dummy to target cryptocurrency investors using the Slack and Discord chat platforms. The chat platforms are abused by cybercriminals who are impersonating admins to trick users.
The way the malware is distributing isn’t that sophisticated but compromised systems remain at risk of remote code execution which may lead to various malicious outcomes. According to Digita Security, upon a successful connection to the attackers’ command and control servers, they are able to arbitrarily execute command on infected hosts at the root level.
OSX.Dummy, Slack and Discord Chat Platforms – How Attacks Happen
The first researcher to pick up the OSX.Dummy malware was Remco Verhoef who shared his discovery with the SANS Infosec Handlers Diary Blog. This is what he said:
Over the previous days we’ve seen multiple MacOS malware attacks, originating within crypto related Slack or Discord chats groups by impersonating admins or key people. Small snippets are shared, resulting in downloading and executing a malicious binary.
Users are tricked to execute a script which then downloads OSX.Dummy malware using cURL. The downloaded file is saved to the macOS/tmp/script directory and is then executed. “The file is a large mach064 binary (34M), rating a perfect score of 0/60 on VirusTotal,” the researcher said. The binary of the malware is unsigned and is obviously able to bypass macOS Gatekeeper which should prevent unsigned software from being downloaded and executed.
How is that possible? If the user is downloading and running a binary using terminal commands, Gatekeeper isn’t activated and the unsigned binary is executed without a problem. This simply means that the built-in protections and mitigations of macOS are not sufficient enough and shouldn’t be relied upon blindly, researchers note.
How is OSX.Dummy chaining permissions to root?
Also another good questions concerning macOS security. This happens while the binary is executed, when a macOS sudo command changes the malware’s permissions to root via Terminal. This requires the user to enter their password in the terminal. As explained by Apple, the execution of a sudo command in Terminal requires the user to be logged in with an admin account that is password-protected.
Once this is down, OSX.Dummy drops code in various system directories such as “/Library/LaunchDaemons/com.startup.plist”, thus making OSX.Dummy’s presence on the system quite persistent.
Verhoef, the researcher who first reported the malware infections also added that:
The bash script (which runs a python command) tries to connect to 185[.]243[.]115[.]230 at port 1337 within a loop and the python code creates a reverse shell. To ensure execution during startup it creates a launch daemon. At the moment I was testing this, the reverse shell failed to connect.
Why was the malware dubbed OSX.Dummy?
Because one of the directories where the victim’s password is dumped is called “/tmp/dumpdummy”. Another reason is that the infection channel is rather dull and unsophisticated and the size of the binary is also big (and dumb!) as well as the persistence mechanism and overall capabilities. Nonetheless, upon a successful attack the malware can connect to its command and control server and take control of the compromised system, making it not that dumb after all.