OSX.Dummy: New MacOS malware targets cryptocurrency investors on Slack and Discord

Security researchers have spotted a new malware strain targeting cryptocurrency investors that use the popular chat platforms, Discord and Slack. The malware, named OSX.Dummy, appears to use a "rather lame", unsophisticated social engineering trick to infect users.

However, users who are successfully attacked could allow for hackers to arbitrarily execute commands as root on the infected system.

Researcher Remco Verhoef first spotted the malware and detailed it in a post on the SANS InfoSec Handlers Diary Blog.

"[Over the] previous days we've seen multiple MacOS malware attacks, originating within crypto related Slack or Discord chat groups by impersonating admins or key people. Small snippets are being shared, resulting in downloading and executing a malicious binary," Verhoef wrote.

Modus Operandi

Attackers attempt to entice users with a message asking them to infect themselves and execute a script that downloads the hefty 34Mb OSX.Dummy malware.

"If users fall for this (rather lame social engineering trick, a rather massive machO binary will be downloaded and executed," Patrick Wardle, chief research officer at Digita Security, wrote in a blog post, adding that the binary is not signed.

The researchers noted that the malware manages to bypass the macOS Gatekeeper security software that is designed to prevent any suspicious, unsigned software from being downloaded and executed on a system.

“Normally such a binary would be blocked by Gatekeeper. However if users are downloading and running a binary directly via terminal commands, Gatekeeper does not come into play and thus unsigned binary will be allowed to execute,” Wartle wrote. “I guess the take away here is (yet again) the built-in macOS malware mitigations should never be viewed as a panacea.”

The binary is also completely undetected by any antivirus software with a perfect score of 0/60 on VirusTotal.

Once the malicious binary is executed, a macOS sudo command changes the malware's permissions to root. This will require the user to enter their password in the terminal that is then saved by the malware.

The malware then drops code in multiple macOS directories including a malicious launch daemon to establish persistence. If the attack is successful and a connection to the attacker's C&C server is established, the attack could take control and execute commands as root on the targeted system.

All-round dumb

However, Wardle said he decided to name the mac malware "OSX.Dummy" because "the infection method is dumb, the massive size of the binary is dumb, the persistence mechanism is lame (and thus also dumb), the capabilities are rather limited (and thus rather dumb), it's trivial to detect at every step (that dumb)... and finally, the malware saves the user's password to dumpdummy."