voyager624 - Fotolia

How does new MacOS malware target users through chat?

New malware targets cryptocurrency investors through MacOS and chat platforms were recently discovered. Learn how OSX.Dummy malware works and what users can do to spot the attack.

A researcher discovered new MacOS malware that hackers are using to target cryptocurrency investors on Slack and Discord chat platforms. How does this malware, dubbed OSX.Dummy, work and how can users spot these attacks?

While individuals have started to scrutinize the email they receive for potential spam or phishing, this does not happen for all communication methods. And while savvy users are often able to work around these threats, this is not always the case, especially when it involves trusting executable files that are received from untrusted sources.

These behaviors were shown to be dangerous by the newly reported MacOS malware, dubbed OSX.Dummy. The malware was first reported by Remco Verhoef, a Dutch security researcher and ISC SANS handler; another researcher, Patrick Wardle, co-founder of Digita Security and publisher of the Objective-See website, gave the new malware its name after he discovered that the malware was … not smart.

In his blog post about OSX.Dummy, Wardle noted a list of reasons for the name, starting with, "the infection method is dumb," and further noting other ways the malware is "dumb:" a huge (34 Mb) malware binary with limited capabilities that is trivial to detect.

Wardle found that users on the Slack and Discord chat platforms were being targeted via a message from what appeared to be an admin instructing the user to run a command in the terminal on the user's Mac. It seems very likely that targeted users were compromised as the command downloaded a malicious binary and executed it on the computer. The OSX.Dummy MacOS malware then sets itself to run upon startup and connect to its command-and-control (C&C) server.

Researchers found that the binary asked users to enter their password for the malware to run and, since the user executes the command via the terminal, the malicious binary bypassed the Apple Gatekeeper. OSX.Dummy wasn't detected by the antimalware tools in VirusTotal when it was initially detected.

While it is difficult to prevent users from intentionally running MacOS malware on their endpoint, security awareness training should be required around all social engineering and not limited to just email-based spam or phishing attacks. Enterprises can detect OSX.Dummy on their network by monitoring network connections to the C&C and checking the endpoint for specified files mentioned by the ISC or for a Python script running in the background.

Ask the expert:
Have a question about enterprise threats Send it via email today. (All questions are anonymous.)

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing