A security researcher has spotted a new strain of malware dubbed “MaMi” (OSX/MaMi) that targets Mac OS X DNS settings.
The issue first appeared on a Malwarebytes forum after a user installed “MyCoupon” software by accident and soon discovered the potential infection after DNS settings couldn’t be changed.
The issue was spotted by researcher Patrick Wardle, who wrote about the MaMi threat in a blog post.
According to Wardle, MaMi has traits eerily similar to a 2015 Windows malware named DNSUnlocker that hijacked DNS settings on Windows systems. For example, the DNS IP address changes were similar and the certificates installed were the same between the two malware strains. Wardle said that DNSUnlocker may have just been re-written to target Mac systems.
In addition to DNS hijacking, the MaMi malware is designed to:
- take screenshots,
- generate simulated mouse events,
- perhaps persists as a launch item (e.g., programArguments, runAtLoad),
- download & upload files, and
- execute commands.
If you think you may be infected, check the DNS settings for unusual DNS changes.
Recommended mitigations include the removal of DNS settings and any installed malicious certificates (e.g., cloudguard.me), as well as run a full AV scan to detect/clean your system.
You may also consider completely reinstalling the Mac OS to be safe. At the time of the blog post, many AV products were not able to detect MaMi, but will most likely add protections soon.