Apple’s macOS is reportedly the target of a new DNS hijacking exploit. As noted by The Hacker News, the malware is being likened to the DNSChange trojan that affected over four million computers in 2011…

This sort of malware works by changing DNS server settings on affected computers, thus routing traffic through malicious servers and logging sensitive data in the process. This new version is being referred to as OSX/MaMi.

News of this malware first appeared on the Malwarebytes forum, prompting ex-NSA hacker Patrick Wardle to do a deep dive into it. Wardle found that the malware is indeed a DNS Hijacker, but actually goes further and installs a new root certificate to hijack encrypted communication.

Furthermore the malware’s reach is said to extend to things such as generating mouse events, taking screenshots, and more:

“By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle’ing traffic (perhaps to steal credentials, or inject ads)” or to insert cryptocurrency mining scripts into web pages.

  • Taking screenshots
  • Generating simulated mouse events
  • Perhaps persists as a launch item (programArguments, runAtLoad)
  • Downloading & uploading files
  • Executing commands

There’s still a lot we don’t know about this attack. For instance, specific information about how it’s spreading remains unclear. Wardle speculates, however, that the attackers may be using rather basic methods of malicious emails and fake security alerts and popups.

Currently, you can check to make sure you aren’t affected by launching System Preferences, heading into the Network menu, choosing “Advanced” and toggling over to the DNS menu. On that menu, keep an eye out for 82.163.143.135 and 82.163.142.137.

It’s important to note that, as of right now, antivirus products are not detecting the malware:

Furthermore, Wardle will be releasing a free open-source firewall for macOS called Lulu that prevents the OSX/MaMi malware from stealing your data. Much more information from Wardle is available here.