{"id":74224,"date":"2018-01-15T16:43:59","date_gmt":"2018-01-16T00:43:59","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=74224"},"modified":"2019-06-15T03:00:02","modified_gmt":"2019-06-15T10:00:02","slug":"ay-mami-new-dns-hijacking-mac-malware-discovered","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/ay-mami-new-dns-hijacking-mac-malware-discovered\/","title":{"rendered":"\u00a1Ay, MaMi! New DNS-hijacking Mac malware discovered"},"content":{"rendered":"

UPDATE:<\/strong> On January 17, we added\u00a0additional information about the malware’s method of persistence and another file dropped by the malware, as well as the forum user’s reported source of infection.<\/em><\/p>\n

Very early in the morning on Friday, January 12, Mac security researcher Patrick Wardle\u00a0published\u00a0a\u00a0report<\/a>\u00a0about a\u00a0brand new Mac malware, dubbed OSX\/MaMi<\/strong>.<\/p>\n

“2018 is barely two weeks old, and already it looks like we’ve got [a] new piece of macOS malware!” Wardle said, upon introducing his analysis of OSX\/MaMi.<\/p>\n

\n

OMG do we have the 1\u02e2\u1d57 macOS malware of 2018? and can I name it!? OSX\/MaMi is undetected by AV (src: VT) infecting Macs around the world – persistently installs new root cert & hijacks DNS settings: https:\/\/t.co\/kkriVSPNC7<\/a> ???\u2620\ufe0f …mahalo to a good friend for the ping ?<\/p>\n

\u2014 Objective-See (@objective_see) January 12, 2018<\/a><\/p><\/blockquote>\n

On Thursday, a user of a computer security forum had posted<\/a> asking for help with removing some malware from his Mac that another malware-removal utility wasn’t detecting.<\/p>\n

\"\"<\/p>\n

The original forum post that started the MaMi investigation.<\/p>\n

Since neither the forum hosts nor other forum users had responded publicly, Wardle decided to do some investigating.<\/p>\n

Intego also began analyzing the malware early Friday morning and updated its\u00a0VirusBarrier<\/a>\u00a0antivirus definitions to detect this new malware as OSX\/MaMi.A<\/strong>.<\/p>\n

Following is a compilation of some interesting findings from Intego researchers,\u00a0Wardle, Noar (another researcher), and Thomas Reed.<\/p>\n

What Does the OSX\/MaMi Malware Do?<\/h3>\n

The main objective of the malware is to hijack a user’s DNS.<\/p>\n

DNS stands for domain name system, a technology used by nearly every Internet-connected device to resolve domain names to their actual Internet protocol (IP) address. For example, if you type “intego.com” into your browser, DNS is how your computer knows where to find Intego’s site.<\/p>\n

OSX\/MaMi malware attempts to hijack a victim’s DNS requests by injecting its own DNS servers into an infected system. It also installs a malicious root certificate authority (root CA) so that secure HTTPS requests can also be hijacked by the malware without scary warnings appearing in the victim’s browsers.<\/p>\n

\"\"The combination of hijacking DNS and injecting a root CA make it possible for the malware creator to engage in “man-in-the-middle” (MitM) attacks against a victim. An attacker could potentially do things such as spy on everything a victim does online, see every bit of data typed into “secure” Web forms, and inject malware or advertisements into any Web page (even if the page uses HTTPS).<\/p>\n

Although analysis of the malware so far has not shown any utilization of the following functions, the malware also appears to have the capability (or at least incomplete attempts at adding the capability) to execute AppleScript code, simulate mouse clicks, and take screenshots. It also appears to contain code for installing a method of persistence called a LaunchAgent (see our recent interview with Amit Server about OSX\/Pirrit<\/a> for more about LaunchAgents), but so far we have not observed a LaunchAgent being installed by OSX\/MaMi.<\/p>\n

UPDATE:<\/strong>\u00a0On the forum user’s computer, the malware\u00a0was installed as a LaunchDaemon\u2014similar to a LaunchAgent\u2014with the file path\u00a0\/Library\/LaunchDaemons\/Cyclonica.plist (note that the file name might differ on other infected systems, but one unique thing\u00a0about the file name is that it doesn’t follow the standard reverse domain notation<\/a> convention as discussed in\u00a0the aforementioned\u00a0interview with Serper about Pirrit<\/a>). This\u00a0LaunchDaemon plist file references\u00a0a malicious file that’s downloaded\u00a0to\u00a0the user’s home directory, in this case ~\/Library\/Application Support\/Cyclonica\/Cyclonica (again, the folder and file names might differ on other infected systems, but will probably match the name of the LaunchDaemon plist file). Thanks to Thomas Reed<\/a> for working with the forum user to obtain this information.<\/p>\n

Why “MaMi”?<\/h3>\n

Wardle, the first researcher to write up a report on the malware, called it OSX\/MaMi, so Intego has adopted the name. Although several antivirus vendors are calling it “OSX\/DNSChanger,” we agree with Wardle<\/a>\u00a0that it’s helpful to distinguish between MaMi (which is new malware) and other DNS-modifying malware that has already been called DNSChanger<\/a> in the past.<\/p>\n

\n

Good: detection for OSX\/MaMi went from 0\/59 to 26\/59 on VirusTotal: https:\/\/t.co\/JXSs0iRngo<\/a> Bad: several AVs calling it ‘OSX\/DNSChanger’ …which IMHO, is dumb as there’s an unrelated Mac malware from 2012, *already* called this (even has a wikipedia: https:\/\/t.co\/VHetpnH811<\/a>) ? pic.twitter.com\/Aiq4EbiAy3<\/a><\/p>\n

\u2014 patrick wardle (@patrickwardle) January 15, 2018<\/a><\/p><\/blockquote>\n

The name “MaMi” appears in text strings within the malware (mami_activity, loadMaMiAtPath, unloadMaMiAtPath, removeMaMiAtPath, initMaMiSettings, SBMaMiSettings, SBMaMiManager, etc.).<\/p>\n

Mami<\/em> is an Israeli\u00a0term of endearment<\/a>,\u00a0meaning something akin to sweetie or honey; for example, a mother might call her child by that name. We’ll\u00a0explain the Israel connection below.<\/p>\n

(Incidentally, “mami” has several meanings in different cultures. Similar to the Israeli word, it\u00a0is also a Spanish word that can be a term of endearment in some contexts; it can also mean mommy, beautiful woman, or young girl with whom the speaker is familiar.\u00a0Mami is also a female given name in Japanese meaning “real beauty,” and it’s also\u00a0the name of a noodle soup in the Philippines.)<\/p>\n

How the Malware Spreads<\/h3>\n

At this time, it’s not\u00a0known precisely how the original forum user got infected. However, several Web sites are currently hosting copies of the malware binary, so one possibility is that OSX\/MaMi may be a secondary infection installed by other malware that’s already installed on a victim’s system.<\/p>\n

UPDATE:<\/strong>\u00a0The forum user later reported<\/a> that his coworker’s computer became infected after clicking\u00a0in a browser popup window: “\u2026this was a lame method of transmission. A popup came up that she clicked and followed through with.” Thanks to\u00a0Thomas Reed<\/a>\u00a0for\u00a0working with the forum user to obtain this information.<\/p>\n

How to Tell if Your Mac Is Infected<\/h3>\n

WARNING:<\/span> Do not attempt to connect to the domain names or IP addresses below; doing so may lead to infection!<\/p>\n

The most obvious indicators of compromise (IoCs) are that an infected computer will have the following IP addresses as DNS\u00a0servers:\u00a082.163.143\u2024135<\/strong> and 82.163.142\u2024137<\/strong>.<\/p>\n

There are a number of methods for checking which DNS servers your Mac is using.<\/p>\n

If you’re using a wired Ethernet connection, click on the Apple menu and select System Preferences…, then click on Network, and then (if it’s not already selected) click on Ethernet (or Thunderbolt Ethernet) in the left pane. In the right pane, you’ll see a “DNS Server:” line which may contain\u00a0one or more\u00a0DNS IP addresses. If you see one or both of the IP addresses above that start with “82.163.” then your Mac has been infected.<\/p>\n

\"\"<\/p>\n

MaMi DNS servers on Ethernet. Image credit: Wardle<\/a><\/p>\n

If you’re using a wireless network, you can copy and paste the following into the Terminal app on your Mac:<\/p>\n

networksetup -getdnsservers Wi-Fi<\/pre>\n
If you see one of the IP addresses above that start with “82.163.” then your Mac has been infected. (Most often you’ll see the message, “There aren’t any DNS Servers set on Wi-Fi,” or if\u00a0you’ve manually added DNS servers in the past you’ll see them listed.)<\/p>\n
Another indicator of compromise is the presence of a root CA for the domain cloudguard(.)me; you can search for the word cloudguard in the Keychain Access app on your Mac, and if it appears in the results, then your Mac has been infected.<\/p>\n
\"\"<\/p>\n
Root CA installed by OSX\/MaMi. Image credit: Wardle<\/a><\/p>\n
The Keychain Access<\/a> and Terminal apps are both located in \/Applications\/Utilities in your Macintosh HD.<\/p>\n
The malware may also drop files in \/Library\/LaunchDaemons and ~\/Library\/Application Support, as previously noted.<\/p>\n
Partial instructions for manually removing the DNS servers and root CA from a Mac can be found in Wardle’s article;<\/a>\u00a0however,\u00a0attempting to manually clean\u00a0a system may be insufficient, as\u00a0the forum user who originally reported the malware said that after manually removing the DNS\u00a0servers they became installed again.<\/p>\n
We strongly recommend scanning your system with Intego VirusBarrier<\/a> to check for\u00a0persistent\u00a0infections.<\/p>\n
Network administrators can find potentially infected systems on\u00a0their network by looking for attempts to\u00a0contact\u00a0the following domains on port 80:<\/p>\n