A new Mac malware has recently been discovered and given the name OSX/MaMi. The virus seems to be capable of hijacking a device’s DNS settings and is currently undetectable by anti-virus software.
There’s a common misconception regarding Mac viruses that has been floating around the internet for many years. The misconception is that Macs cannot get infected by viruses, which has been proven time and time again to be false. In fact, an example of a MacOS malware has very recently been discovered and is currently being investigated by security researcher Patrick Wardle. The virus goes by the name OSX/MaMi and it seems to have been primarily designed to modify a computer’s DNS, but could potentially be used to cause an even greater deal of harm if left unchecked.
While digging around through the malware’s source code, Wardle was able to learn that the latest version of the virus, or at least the version that he came across, is 1.1.0. This indicates that OSX/MaMi hasn’t been around for very long and its full range of capabilities is still unknown. This idea is backed up by the fact that anti-virus software is currently not able to detect the new malware, though this is expected to change in the near future. But while a file infected with OSX/MaMi might show up as clean during scans, Wardle assures us that this is definitely not the case.
The researcher noted that this isn’t a particularly advanced piece of malware, however, it should not be underestimated just because of that. According to Wardle, OSX/MaMi is able to install a local root certificate and modify the system’s DNS settings. Furthermore, the malware can also download and upload files, run commands, and even hijack mouse clicks. As mentioned, OSX/MaMi has only been found to change DNS settings, at least for now, but seems to be capable of performing many other tasks. It’s unclear at this time if the malware requires some sort of user input in order to exhibit additional behavior or if further malicious tools are meant to be added in a future version.
Despite being only recently discovered, a Mac user has already reported coming across OSX/MaMi. According to a post on the Malwarebytes forums, the malware is indeed able to modify DNS settings and seems to be very difficult to get rid of. It would appear that even after manually removing the new DNS entries put in place by OSX/MaMi, they keep coming back and the user can’t figure out why.
The post also mentions that the device’s DNS settings have been changed to 18.104.22.168 and 22.214.171.124, which is one of the few clues we have to go on for now. If you’re worried about your system being infected by OSX/MaMi, you may want to check your DNS settings and make sure they haven’t been modified to the aforementioned values.