Apple’s macOS, which was recently found to have a login bug, has now become the target of a new DNS hijacking exploit. The malware attacking macOS is similar to the DNSChange trojan that affected over four million computers back in 2011.
The DNS hijack malware works by changing the DNS server settings on affected computers and routes traffic through malicious servers. The process allows it to successfully log sensitive data in the process. This new version of DNS malware is being referred to as OSX/MaMi, notes The Hacker News.
The details of this malware first appeared on the Malwarebytes forum and former NSA hacker Patrick Wardle did a deep dive to understand the characteristics of the trojan. Wardle found that the malware is a DNS hijacker akin to the 2011 trojan, but goes a bit further by installing a new root certificate capable of hijacking encrypted communication.
Apart from installing a root certificate, Wardle discovered that MaMi gains a host of other abilities including ability to take screenshots, generate simulated mouse events, download and upload files and execute commands. The worst of all is the ability for the malware to persists as a launch item by executing runAtLoad instruction.
“OSX/MaMi isn’t particular advanced – but does alter infected systems in rather nasty and persistent ways. By installing a new root certifcate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle’ing traffic,” Wardle wrote in a blog post.
These are initial observations of the malware and there isn’t much known about this attack just yet. It still remains unclear how the malware infects target machine but it is believed to be spreading via executable files shared in the form of mails and fake security alerts.
Apple’s macOS users can check if their machines are affected by the malware by launching System Preferences and heading into the Network menu. Under Advanced, users can toggle over to the DNS menu and need to keep an eye on 22.214.171.124 and 126.96.36.199 DNS addresses. Also check for malicious ‘cloudguard.me’ certificate, which will appear in the System Keychain, if installed.
Since malwares are capable of installing other malware and allowing remote attacker access to the system, Wardle suggests fully reinstalling macOS on machines affected with this malware. Wardle also plans to release a free open-source firewall for macOS called Lulu that will prevent the OSX/MaMi malware from stealing user data.