MaMi – new DNS Hijacker for MacOS

Delaware, USA ā€“ January 17, 2018 ā€“ Last week, a researcher from Objective-see studied and described the newly discovered malware for MacOS, which was not detected by antivirus solutions. OSX / MaMi modifies DNS settings on the infected assets and installs own root certificate to intercept encrypted traffic. Adversaries can use this tool to perform MitM attacks, spy on infected machines and prepare attacks on company’s network: malware can take screenshots, download/upload files and execute commands. It seems that adversaries are still developing this malware strain. Methods of MaMi distribution are not yet known, but instances of this malware have been found on several sites.

The emergence of a new virus for MacOS that was not detected by antivirus solutions is a serious threat to companies using Apple software. The current version of the virus replaces the DNS settings on the infected assets with 82.163.143.135 and 82.163.142.137, so you need to investigate any queries to these servers. Also, you can use DNS Security Check SIEM use case for to monitor any suspicious DNS queries and spikes of DNS traffic. It will help you uncover malware activity that bypassed your antiviruses.