- LamePyre takes screenshots and sends them to its C2 server. It uses the open source backdoor EmPyre to inject its functionality in the background.
- The malware tries to appear as a legitimate version of the Discord messenger to fool users.
Though MacOS is generally less targeted when compared to the Windows operating system, it is never all quiet on the western front either. Just this month, we have witnessed significant activity regarding the malware targeting Apple’s MacOS.
The latest MacOS malware, dubbed LamePyre, was discovered by Adam Thomas from Malwarebytes. The malware is capable of taking screenshots and running a backdoor. However, it does not do much beyond, hence the name. Due to its limited capabilities, it still appears to be under development.
LamePyre tricks users by appearing as a copy of the Discord messaging app used by gamers. In reality, it is just a shell script which shows up as the typical Automator icon in the menu bar on MacOS when run by the user.The script used in LamePyre first decodes its payload and then runs a loop to capture screenshots and send them to its command and control (C2) server.
Adam Thomas noted that the Python script for the EmPyre open source backdoor to be set up. DarthMiner, another recently discovered malware on MacOS, also uses this backdoor for injecting cryptocurrency mining capabilities in the background.
Additionally, the script adds a launch agent named com.apple.systemkeeper.plist, in order to keep the backdoor and screenshot functionality running persistently. Interestingly, the author has not made much efforts to actually make it appear like an actual copy of the Discord messenger.
“This malware is really unconvincing, as it does nothing at all to pretend that it is a legit Discord app. It is not a maliciously-modified copy of the Discord app,”Thomas wrote. “It doesn’t even include and launch a copy of the Discord app, which it could do easily as a subterfuge to make the app look legit. For that matter, it doesn’t even use a convincing icon!”
However, the malware is still capable of capturing a few screenshots and sending them to the attacker, before users realize that something may be wrong with the app.
MacOs Malware Month
This is the third discovered malware strain affecting MacOS in December. DarthMiner, mentioned earlier, is one among them, which was spread through the Adobe Zii piracy software, which is used for pirating Adobe applications.
The other malware discovered this month is OSX.Badword, which was discovered by John Lambert from Microsoft. It used a malicious macro embedded in a Microsoft Word document and targeted a sandbox escape vulnerability using the Meterpreter backdoor.
The recent malware discoveries call for MacOS users to avoid downloading applications from unverified sources to remain safe from such malware disguised as legitimate software.