Apple’s macOS is reportedly the target of a new DNS hijacking exploit. The malware is being likened to the DNSChange trojan that affected over four million computers in 2011…
This sort of malware works by changing DNS server settings on affected computers, thus routing traffic through malicious servers and logging sensitive data in the process. This new version is being referred to as OSX/MaMi.
News of this malware first appeared on the Malwarebytes forum, prompting ex-NSA hacker Patrick Wardle to do a deep dive into it. Wardle found that the malware is indeed a DNS Hijacker, but actually goes further and installs a new root certificate to hijack encrypted communication.
Furthermore the malware’s reach is said to extend to things such as generating mouse events, taking screenshots, and more:
– Taking screenshots
– Generating simulated mouse events
– Perhaps persists as a launch item (programArguments, runAtLoad)
– Downloading & uploading files
– Executing commands
There’s still a lot we don’t know about this attack. For instance, specific information about how it’s spreading remains unclear. Wardle speculates that the attackers may be using rather basic methods of malicious emails and fake security alerts and popups.
Currently, you can check to make sure you aren’t affected by launching System Preferences, heading into the Network menu, choosing “Advanced” and toggling over to the DNS menu. On that menu, keep an eye out for 22.214.171.124 and 126.96.36.199.
It’s important to note that, as of right now, antivirus products are not detecting the malware.
Furthermore, Wardle will be releasing a free open-source firewall for macOS called Lulu that prevents the OSX/MaMi malware from stealing your data.