Building a slide deck, pitch, or presentation? Here are the big takeaways:

  • A new macOS malware called MaMi can hijack DNS settings, install root certificates, and otherwise compromise macOS machines. Its attack vector is currently unknown.
  • Not all antivirus engines can detect MaMi yet, so keep your definitions up to date and run regular scans to ensure none of your machines are infected.

Security researcher Patrick Wardle has dug into a recently discovered macOS malware he’s dubbed “MaMi,” and his findings show that it has the potential to do serious damage.

The malware was found in the wild through a Malwarebytes forum post Wardle noticed, in which the poster said they were trying to help a work colleague deal with a DNS hijacking issue.

Wardle said he didn’t see a reply on the forum post, which led him to believe there wasn’t any other recent macOS malware out there that hijacked DNS, so he took a look at what appears to be a whole new strain of Mac-infecting malware.

A new attack

Wardle wasted no time in disassembling MaMi, which he said isn’t particularly complex: It’s just an unsigned Mach-O 64-bit executable. Its simplicity may be reflective of how new it is–disassembling the code revealed it’s only version 1.1.0.

MaMi’s attack vector isn’t known, but Wardle did say he’s found it on several websites. Regardless, once it’s on a machine it goes to work executing several tasks, particularly changing the infected machine’s DNS servers and installing a root certificate in the Keychain.

SEE: IT leader’s guide to reducing insider security threats (Tech Pro Research)

The root certificate is likely a precursor to future man-in-the-middle attacks, Wardle said, and the DNS changes are likely for the same reason.

MaMi’s code also contains capabilities to allow it to run at startup, take screenshots, generate simulated mouse events (which could be used for click farming), download and upload files, and execute commands–and Wardle says it’s capable of doing even more.

Mac users beware

When initially discovered, there wasn’t a single anti-malware app that recognized MaMi as malicious. As our sister site ZDNet points out, that number has changed: As of this writing 27 of the 59 antivirus platforms on VirusTotal recognize MaMi.

How can users avoid getting infected by MaMi? It’s tough, especially since its attack vector is currently unknown. As with all forms of malware, however, there are some basic best practices that IT teams can take to ensure no errant software is installed on managed machines:

  • Don’t allow users to install anything without domain administrator permission.
  • Block the installation of apps that don’t come directly from the Apple App Store.
  • Make sure you’re running up-to-date malware definitions, regardless of whether or not your antivirus product is one of the 27 that detect MaMi. That number is sure to grow in the coming days, and protection requires having definitions up to date.

SEE: Incident response policy (Tech Pro Research)

There are a couple easy ways to tell if your computer is currently infected:

  • Check your DNS settings by opening System Preferences, then clicking on Network, and then on the DNS tab. If the addresses listed are either 82.163.143.135 or 82.163.142.137 you’re infected.
  • Open the Keychain Access app, and click on the System Roots tab. Do a search for Cloudguard.me. If you find it on your machine you’re infected.

If you are infected, that’s bad news: MaMi can execute code, which means it can install other malware alongside itself. There’s no evidence it’s doing so, but the best bet in the case of a MaMi infection is to wipe the affected machine and start with a fresh install of macOS.

Wardle says that, in all likelihood, simply changing the DNS settings and removing the root certificate should be enough to kill MaMi, so if a fresh OS install isn’t possible you may be able to get away with that simple approach. Beware, of course: Only removing the obvious signs of a malware infection may leave you open to future attacks if the program is smart enough.

Also see