Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

Mysterious DNS Hijacking Malware Targets Mac Users

A new piece of Mac malware is making the rounds. OSX/MaMi hijacks macOS’s DNS settings to intercept traffic by routing it through malicious servers. Additional capabilities, which didn’t seem to be active in the version that researcher Patrick Wardle analyzed, including taking screenshots, generating simulated mouse events, persisting as a launch item, downloading and uploading files, and executing commands. The motive, author, and how OSX/MaMi is spread are currently unknown, and when the Hacker News article was published, antivirus apps weren’t able to detect it. To see if you’re infected, check your DNS settings in System Preferences > Network, and look for the DNS servers 82.163.143.135 and 82.163.142.137. But unless you did something to bypass macOS’s Gatekeeper security, you likely have nothing to worry about since the malware’s executable isn’t signed by Apple.Generic Globefollow link

 

Comments about Mysterious DNS Hijacking Malware Targets Mac Users

To leave a comment, click Add a Comment and then enter the text, your name, and your email address (which won't be displayed). Your comment will appear after you follow a link in the one-time confirmation message we send to verify that you're a real person.
Receive comments via RSS
Steve Harmony  2018-01-23 09:07
If you're on a WiFi connection you likely have your DNS set to search on your WiFi router, you'll see a non-routable address like 192.168.x.x or 10.10.x.x. Out of curiosity I checked my Google WiFi DNS, it's set to the factory default of 8.8.8.8, Google's public DNS server.
Reply
Bob Peterson  2018-01-29 09:25
I bypass Gatekeepr often, and probably so do others. Every time I control+click > Open a downloaded executable I bypass Gatekeeper. As developers keep avoiding the Mac AppStore, and open source developers don’t bother with code signing, we have to do this. Which is pretty much every app not from the MAS.
Reply
G. Douglas Eddy  2018-02-01 12:57
"when the Hacker News article was published, antivirus apps weren’t able to detect it." I checked with Intego Software and my antivirus includes protection from OS X/MaMi. Thank you for a very helpful article AND the right instructions on how to see if your DNS settings! lol
Reply
Josh Centers  An apple icon for a TidBITS Staffer 2018-02-01 13:40
Happy to help!
Reply
Adam Engst  An apple icon for a TidBITS Staffer 2018-02-01 13:58
Good to hear that Intego updated to cover it — we anticipated that happening, but didn't know when each anti-malware app would be done.
Reply