{"id":80641,"date":"2018-07-06T13:25:53","date_gmt":"2018-07-06T20:25:53","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=80641"},"modified":"2019-06-15T02:49:16","modified_gmt":"2019-06-15T09:49:16","slug":"new-mac-malware-targets-cryptocoin-dummies","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/new-mac-malware-targets-cryptocoin-dummies\/","title":{"rendered":"New Mac malware targets cryptocoin ‘dummies’"},"content":{"rendered":"

\"\"Mac malware for dummies?<\/em>\u00a0No, it’s not the latest volume in Wiley’s book series.<\/p>\n

OSX\/Dummy<\/strong> is new Mac malware that rudely refers to its victims as dummies (more specifically, “dumpdummy”).<\/p>\n

Below we’ll cover everything you need to know\u00a0about the latest macOS malware threat.<\/p>\n

OSX\/Dummy’s Attack Vector<\/h3>\n

How is OSX\/Dummy spreading? Well, it has an unusual attack vector, to be sure.<\/p>\n

Cryptocurrency chat groups hosted on popular platforms Slack and Discord have recently been targeted by a threat actor. A perpetrator pretends to be a chat group administrator or someone important, inviting chat participants to run a command in the Terminal on their Macs to supposedly “make sure [a] port is open” to enable a cryptocurrency transaction to finish processing.<\/p>\n

\"\"

OSX\/Dummy spreads via a rudimentary social engineering attack. Image: Remco Verhoef<\/a><\/p><\/div>\n

When unsuspecting victims run the command, their Mac may become infected with the new malware, OSX\/Dummy.<\/p>\n

This methodology of infection through social engineering, although very rudimentary in nature, is arguably slightly clever in that it circumvents Apple’s Gatekeeper protection. Gatekeeper is supposed to block execution of known-malicious and unsigned code obtained from the Internet. While Gatekeeper might block malware from certain sources, it is not designed to block code downloaded via the Terminal.<\/p>\n

What Does OSX\/Dummy Do?<\/h3>\n

When the user types his or her password into the Terminal, the malware logs it in plain text to a new file, located at \/tmp\/dumpdummy.<\/p>\n

\"\"
\nPatrick Wardle<\/a> shows that OSX\/Dummy stores passwords in plain text.<\/p>\n

The malware also establishes a method of persistence so that it can survive a reboot.<\/p>\n

OSX\/Dummy then attempts to open a reverse shell connection to an attacker-controlled computer. A successful reverse shell connection could allow the attacker to execute any commands of their choosing on the victim’s Mac, with full root privileges.<\/p>\n

\"\"In other words, the attacker can\u00a0control the victim’s Mac\u00a0like a puppet\u2014a dummy.<\/p>\n

The\u00a0attacker could even\u00a0do things like steal the victim’s cryptocurrency wallets (which might perhaps be a primary goal in this campaign, judging by the forums trolled by the attacker).<\/p>\n

What Can Mac Users Learn From This?<\/h3>\n

The most important takeaway for Mac users is that your computer isn’t invincible<\/strong>\u2014you have to be just as cautious as a Windows user to prevent your computer from getting infected.<\/p>\n

Fraudsters prey on those who are most likely to be vulnerable to their scam tactics, including Mac users who may be overly confident about their computer’s security or overly trusting of people in chat channels or forums.<\/p>\n

And, of course, don’t run Terminal commands<\/strong> that you’ve found in some random place online; they could be malicious!<\/p>\n

Is My Mac Safe?<\/h3>\n

\"\"Unfortunately, Apple’s built-in technologies such as Gatekeeper and XProtect won’t stop this malware from infecting your Mac.<\/p>\n

However, Intego VirusBarrier<\/a> detects and eradicates OSX\/Dummy’s files, and Intego NetBarrier can empower you to block the outbound network connection if some new malware ever tries to phone home.<\/p>\n

If you don’t have an anti-malware suite installed on your Mac, you can check for the presence of the following files to see whether your Mac is currently infected:<\/p>\n

\/Library\/LaunchDaemons\/com.startup.plist\r\n\/tmp\/com.startup.plist\r\n\/tmp\/dumpdummy\r\n\/tmp\/script.sh\r\n\/Users\/Shared\/dumpdummy\r\n\/var\/root\/script.sh<\/pre>\n
Network administrators can also check their logs to see if any computers have attempted to phone home to the IP address 185.243.115.230 on port 1337.<\/p>\n
Where\u00a0Can I Learn More?<\/h3>\n
Remco Verhoef<\/a>\u00a0was the first to publish a report about OSX\/Dummy, and Patrick Wardle<\/a>\u00a0followed up with additional analysis.<\/p>\n
Be sure to subscribe to\u00a0The Mac Security Blog,<\/strong>\u00a0the\u00a0Intego Mac Podcast<\/strong><\/a>, and\u00a0the\u00a0Intego YouTube channel<\/strong><\/a>\u00a0to stay\u00a0informed about\u00a0the latest Apple security news! We talked about\u00a0OSX\/Dummy on\u00a0episode 38<\/a> of the podcast.<\/p>\n
 <\/p>\n
Dummy photo\u00a0by\u00a0Andrew Malone<\/a>. “Beware of pickpockets” image by\u00a0Paris 16<\/a>.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"
Mac malware for dummies?\u00a0No, it’s not the latest volume in Wiley’s book series. OSX\/Dummy is new Mac malware that rudely refers to its victims as dummies (more specifically, “dumpdummy”). Below we’ll cover everything you need to know\u00a0about the latest macOS malware threat. OSX\/Dummy’s Attack Vector How is OSX\/Dummy spreading? Well, it has an unusual attack […]<\/p>\n","protected":false},"author":14,"featured_media":80692,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[190],"tags":[174,86,4240,3172],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\n\n\n\t\n\t\n\t\n