Cryptocurrency Investors Aimed with MacOs Malware on Slack and Discord

July 5, 2018

 

A number of MacOs malware attacks have been recognized in the past few days with sufferers targeted through the Slack as well as Discord chat platforms. The attackers are aiming cryptocurrency investors and are posting messages on Slack and Discord groups connected to cryptocurrencies.

This is an impersonation attack in which management, as well as important people are being impersonated, with users suggested to run a draft that copies a malware variation called OSX.Dummy malware through curl.

The malware has a 34Mb size, which must be a warning symbol, even though it is presently not being picked up by any AV creations on VirusTotal, as per safety scientist Remco Verhoef, who later posted regarding the attacks on the SANS ISC InfoSec forum.

Patrick Wardle, chief inquiry officer at Digita Safety, also wrote concerning the attack in the latest blog post. Wardle notes that typically, an unknown binary would not be permitted to run by Gatekeeper, even though if the binary is being run directly via terminal controls the file will be permitted to perform as GateKeeper is not involved.

As soon as the binary is operated, the authorizations for the malware are altered to root, which would need a user in order to enter a password in the terminal. Should that occur, the malware drops code to attain perseverance.

Verhoef described in his column, “The bash script (which runs a python command) attempts to link to 185.243.115.230 at port 1337 within a loop and the python code generates an opposite shell. In order to make sure implementation during startup it generates a launch inspiration.” Should the attack be successful, it would permit the attacker to take complete control of an infected appliance. Nevertheless, in the type checked by Verhoef, the malware was not able to connect to its C2.