New Mac malware - MaMi -  hijacks DNS connections
New Mac malware - MaMi - hijacks DNS connections

Malware can steal passwords, take screenshots and access files. Security researchers have discovered new Mac malware that can hijack DNS settings.


Called MaMi, after a string in the program code, the flaw was highlighted by Mac security expert Patrick Wardle in a blog post.


The Mac malware was bought to Wardle's attention by a user on the MalwareBytes' forum. A user on that forum had found problems on the computer of a friend who had previously downloaded something. At the present time, the specific infection vector is currently still unclear. Wardle said the malware is propagated by such as malicious email, web-based fake security alerts/popups, or social-engineering type attacks to target mac users.


MaMi is distributed in the form of an unsigned Mach-O 64-bit binary and has several functions. During installation - which requires the entry of an administrator password - the malware first changes DNS entries on the Mac. Then, all DNS requests are routed to the malware developers' servers, which can also send users to unwanted websites for further attacks.


The malware also installs a special root certificate in the macOS keychain. Wardle said that hackers could use these functions to “perform a variety of nefarious actions such as man-in-the-middle'ing traffic (perhaps to steal credentials, or inject ads).”


In addition, MaMi can take screenshots of the screen, trigger mouse events, move the cursor, constantly restart in the form of a launch item, download and upload files, and execute commands. The researchers say that  MaMi seems to be a macOS version of a similar Windows malware called DNSUnlocker, which uses the same DNS server and certificate. 


Affected users should should first check whether the DNS servers on a  Mac are set to 82.163.143.135 and 82.163.142.137. This would indicate an infection. Wardle said that to remove DNS servers, open he System Preferences Application, click the 'Network' Icon, then the 'Advanced' button, and finally the 'DNS' button. Selected each server, then click the '-' button to delete.


Wardle said that at the time of writing, none of the VirusTotal-scanned scanners detected the malware.


Malcolm Murphy, director of Western Europe at Infoblox, told SC Media UK that this attack provides further proof, if any were needed, of the criticality of DNS and how vital securing DNS should be to the modern enterprise.  


“Firstly, the attackers are clearly targeting DNS and hijacking the client DNS servers because they see the huge value that this brings to them and the control it takes away from their target,” he said.


“Secondly, it emphasises that enterprises must be securing their DNS traffic at a network level as well as a client level, and that they have complete visibility into the DNS traffic that is flowing across their network both where it is going and what it contains. Without effective DNS security in place, the modern enterprise places itself at risk.”


Liviu Arsene, senior e-threat analyst, Bitdefender, told SC Media UK that since the infection method for this specific Mac malware is limited to social engineering by tricking victims into executing the malware – distributed either via email or scareware advertisements – the chances of getting infected with MaMi are relatively small.


“Not only that by default MacOS will not allow untrusted apps – that are not signed with a valid developer digital certificate – to be installed, but security policies can also be pushed throughout the company to deny users from installing untrusted/unsigned apps,” he added.