MaMi: Malware for Apple Mac changes DNS settings and is a root threat

In addition to the confusing security gap communicated by Deutsche Telekom bone 6 there is currently another security warning for networks. Like security researcher Patrick Wardle in his Blog shows, so can the MaMi or OSX / MaMi Manipulate the named malware DNS settings and cause further damage. MaMi primarily attacks Apple Mac systems and the networks / servers built up with them. The malware is supposed to be based on the Windows malware DNSUnlocker based. I have summarized the details for you below.

MaMi or OSX / MaMi is macOS malware for DNS hijacking. Details on the threat to the Mac can be found here!

MaMi or OSX / MaMi is macOS malware for DNS hijacking. Details on the threat to the Mac can be found here!

MaMi malware changes DNS settings on the Mac

The malware called MaMi is said to be able to change settings in the DNS (Domain Name System) area in Apple operating systems such as Mac OS X and macOS. First reports on the threat should be posted in the forum of Malwarebytes which Wardle used as a guide in his investigations. Here are a few findings from the analysis of the "macOS DNS Hijacker":

  • DNS hijacking
  • Creation of screenshots
  • Simulation of mouse inputs
  • Download files
  • Executions of code
  • Setup as an autostart program
  • Hosting on multiple domains

Conclusion and FAQ from Patrick Wardle

OSX / MaMi is not very well developed - but it changes infected systems in a rather ugly and persistent way. By installing a new root certificate and hijacking the DNS server, the attacker can perform a number of malicious actions, such as man- in-the-middle actions in the traffic (to possibly steal authorizations or insert advertising. (Translation of the "Conclusions" from the blog post linked above)

Inset - more interesting posts on the blog:

How do you infect the system with OSX / MaMi?

This is currently unknown. Nevertheless, it is possible that the attackers use methods such as e-mails, web-based fake security warnings or pop-ups or even social engineering attacks to target Mac users.

How do I find out if my system is infected?

Look in the DNS settings and check whether they have been set to 82.163.143.135 and / or 82.163.142.137. It also examines the system for the malicious cloudguard.me certificate.

How do I get rid of OSX / MaMi?

The safest way to do this is to reinstall macOS. Once the malware was on it, it is possible that it installed additional malware or gave access to a third party. Removing individual files, certificates, etc. doesn't help much. However, the first thing you should do is remove the files and reset the DNS server.

Will antivirus software protect me?

Maybe. However, MaMi is a relatively new threat. The blog entry linked at the beginning recommends tools that can detect and block outgoing traffic. So you can create a firewall that weakens attacks.

What does the name OSX / MaMi mean?

The name is not based on other malware called DNSChanger or the like, but was named after a core class called "SBMaMiSettings". Details can be found in the detailed guide on the subject by Patrick Wardle on the Objective See Blog.

-

Did you like the article and did the instructions on the blog help you? Then I would be happy if you the blog via a Steady Membership or at Patreon would support.

Leave a Comment

Your e-mail address will not be published.