{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/mami/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["dns hijacking","macos","mami","malware"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOSX/MaMi, a macOS malware identified in January 2018, targets users by hijacking their DNS settings and installing a malicious certificate into the System keychain. This allows attackers to potentially intercept all network traffic. The malware, version 1.1.0, exhibits a range of functionalities beyond DNS hijacking, including the ability to take screenshots, generate simulated mouse events, persist as a launch item, download and upload files, and execute arbitrary commands. This malware communicates with various domains such as honouncil.info, gorensin.info and squartera.info to report activity, posing a significant risk to user privacy and data security.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe malware is initially downloaded from a hosting site, such as \u003ccode\u003ehttp://regardens.info/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe downloaded Mach-O executable is executed on the macOS system.\u003c/li\u003e\n\u003cli\u003eMaMi modifies the system\u0026rsquo;s DNS settings, replacing the legitimate DNS servers with malicious ones, specifically \u003ccode\u003e82.163.143.135\u003c/code\u003e and \u003ccode\u003e82.163.142.137\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malware installs a malicious certificate into the System keychain, likely using \u003ccode\u003esecurity add-trusted-cert\u003c/code\u003e command to bypass certificate pinning.\u003c/li\u003e\n\u003cli\u003eIt may establish persistence by configuring itself as a launch item using \u003ccode\u003eprogramArguments\u003c/code\u003e and \u003ccode\u003erunAtLoad\u003c/code\u003e methods.\u003c/li\u003e\n\u003cli\u003eMaMi takes screenshots of the user\u0026rsquo;s desktop using the \u003ccode\u003etakeScreenshotAt:\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eThe malware exfiltrates collected data and sends reports to command and control servers, including \u003ccode\u003ehonouncil.info\u003c/code\u003e, \u003ccode\u003egorensin.info\u003c/code\u003e, and \u003ccode\u003esquartera.info\u003c/code\u003e over HTTP.\u003c/li\u003e\n\u003cli\u003eThe attacker gains complete control over the victim\u0026rsquo;s network traffic.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to intercept network traffic, potentially stealing sensitive information like usernames, passwords, and financial data. Victims may experience redirection to malicious websites, phishing attacks, or installation of further malware. The malware also has the ability to take screenshots and simulate mouse clicks, potentially granting attackers access to sensitive data displayed on the screen or enabling them to perform actions on the infected system remotely.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for DNS queries directed to the malicious DNS servers \u003ccode\u003e82.163.143.135\u003c/code\u003e and \u003ccode\u003e82.163.142.137\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor for outbound network connections to the reporting domains \u003ccode\u003ehonouncil.info\u003c/code\u003e, \u003ccode\u003egorensin.info\u003c/code\u003e, and \u003ccode\u003esquartera.info\u003c/code\u003e using network_connection category rules.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rules to detect suspicious processes modifying DNS settings or installing certificates.\u003c/li\u003e\n\u003cli\u003eMonitor process creations for execution of unsigned Mach-O binaries.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2018-01-11T07:33:40Z","date_published":"2018-01-11T07:33:40Z","id":"/briefs/2018-01-ay-mami-dns-hijacker/","summary":"OSX/MaMi is a macOS malware that hijacks DNS settings and installs a malicious certificate into the system keychain to intercept network traffic, while also possessing capabilities for taking screenshots, simulating mouse events, persisting as a launch item, downloading and uploading files, and executing commands.","title":"OSX/MaMi DNS Hijacking Malware","url":"https://feed.craftedsignal.io/briefs/2018-01-ay-mami-dns-hijacker/"}],"language":"en","title":"CraftedSignal Threat Feed — Mami","version":"https://jsonfeed.org/version/1.1"}