There is a new social engineering attack on Mac users who discuss cryptocurrency investing in Slack and Discord groups. The attacker first presents themselves as the administrator of the various chat groups, and asks the victims to type a command into the terminal window. The result is that a 34 mb file is downloaded, which infects Apple Macintosh computers with malware that enables hackers to infiltrate their computers to steal their data and private keys to their digital asset wallets.
The MacOS malware is being labeled as OSX.Dummy. The social engineers who are behind it target users who are not tech savvy, or who are new to crypto investing. After establishing trust in a chat room and convincing the unsuspecting victim to install the malware, the hacker proceeds to infiltrate the user’s computer using a C&C server hosted on IP addresses in the Netherlands.
A C&C server, or command-and-control is a computer that issues directives to computers and other devices that have been infected with rootkits or other malware. Once your Mac is infected, it can become part of a network of other infected machines. In addition to stealing your crypto, this gives the hackers the ability to use your computing power to issue DDoS (denial of service) attacks on other computers and servers. When your computer becomes part of a botnet, it can also be used to distribute malware to other users, magnifying the problem.
In an interview with Dark Reading, Ryan Benson, senior threat researcher at Exabeam said, “A lot of otherwise non-technical people have jumped on the cryptocurrency bandwagon and want to get involved. Cryptocurrencies are inherently technical, so these less-technical users may be used to following technical how-tos without really understanding what the commands they run are doing. This puts them in dangerous territory and ripe for an attack like this, even if it is ‘dumb.’”
It can be said that the flood of people FOMOing into the crypto market is over, and most people who are still invested are serious about crypto. However there are still many people who are not tech savvy, making them the perfect target for such an attack. To these people, typing in the instructions from a chat room “administrator” seems innocuous. According to a diary entry by Remco Verhoef on the Sans Technology Institute website, the snippets are fairly simple.
The 34 mb file that the user downloads has a perfect rating when scanned for viruses, which adds further trust when the user takes the final step to install the file.
Within the file however, is a package that installs several files and tries to connect to an IP address located in the Netherlands (220.127.116.11) and managed by the German company, CrownCloud. The malware’s method of persistence is “launch daemon” and its purpose is “reverse shell.” While this information is meaningless to most users, it provides clues to dealing with the malware infection, as detailed on the Objective-See blog. According to the article, the binary file is unsigned. Typically such files would be blocked by GateKeeper, however this is not the case when users download and run the binary files directly via terminal commands.
If you own an iMac, MacBook or other Macintosh computer, and you have participated in Slack or Discord conversations, then be careful about this new attack, and be sure to try KnockKnock to see if you’re infected.