There’s a new DNS highjacking malware for the Mac dubbed OSX/MaMi in the wild, and virus and malware checkers aren’t yet detecting. OSX/MaMi lets attackers route your Internet traffic through their own servers and collect personal data, plus it can upload and download files, take screenshots, and more.
Security researcher and former NSA hacker Patrick Wardle analyzed the malware and called it a DNS Hijacker. He said,
By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle’ing traffic (perhaps to steal credentials, or inject ads)” or to insert cryptocurrency mining scripts into web pages.
He said it can also take screenshots, upload and download files, generate mouse events, and execute commands.
Researchers haven’t discovered how it spreads yet. It’s likely attackers are tricking victims into installing it with fake security warnings and malicious email messages.
It’s easy to tell if you’ve been hit with OSX/MaMi by checking the DNS entries on your Mac. You can do that by going to Apple menu > System Preferences, Then do this:
- Select Network
- Click Advanced
- Choose the DNS tab
- Look for 220.127.116.11 and 18.104.22.168
If you see either of those IP addresses your Mac has been hit with OSX/MaMi. It’s unclear right how which files need to be removed from your Mac to remove the threat. Changing the DNS entries to something else, like Google’s 22.214.171.124, seems to fix the problem for now.
As always, you can minimize the risk of installing the malware by avoiding websites you don’t trust, not clicking on pop-ups or other alerts on webpages, and not clicking links in email messages from people you don’t know.