Mac users haven’t had much good news on the security front early on in 2018, and that unfortunate streak is continuing with the revelation that macOS has been hit by a new strain of DNS hijacking malware (which inflicts more nastiness on the system besides that primary payload).
Named as OSX/MaMi, the malware changes the DNS server settings on the victim’s machine, redirecting their internet traffic through malicious servers designed to steal the user’s sensitive data.
Security researcher Patrick Wardle has looked extensively into MaMi (as spotted by 9 to 5 Mac) and observes that while it isn’t particularly sophisticated, it does more than simple DNS hijacking.
It’s also capable of pulling off tricks like taking screenshots, downloading and uploading files, executing commands, and it installs a new root certificate to facilitate potential man-in-the-middle attacks. It’s pretty bad news all round, really.
How do you get infected? Wardle isn’t certain on this point, but observes that fake emails or social engineering attacks are likely to be involved (both are pretty prevalent vectors these days). The post on Malwarebytes’ forum which pointed out the malware to Wardle showed the infection came from installation of a dodgy program (‘mycoupon’).
Unfortunately, not all antivirus software is currently capable of detecting the malware, although some have been primed to spot it. Hopefully, it shouldn’t be long before all antivirus apps have MaMi on their radar.
To manually check if you’ve been infected, simply look in System Preferences, under the Network pane, click Advanced, and go to the DNS menu. If your DNS settings are set to 220.127.116.11 and 18.104.22.168, then the malware is at large on your system. Wardle provides further advice in this blog post.
- A couple of Apple’s MacBooks make our list of best laptops