MikeOfMaine Posted January 11, 2018 ID:1198889 Share Posted January 11, 2018 I am helping a fellow teacher. She accidentally installed something and her DNS now appears to be hacked. Malwarebytes found "MyCoupon" but that was all. I manually removed the offending DNS entries (82.163.143.135 & 82.163.142.137) but they keep coming back. I don't see any extensions, startup items, or other obvious signs of what is going wrong. I tried to generate a report, but there is no "Support" option under help on the version on her laptop. Thank you, Mike Link to post Share on other sites More sharing options...
Staff treed Posted January 15, 2018 Staff ID:1199981 Share Posted January 15, 2018 Mike, I sent you a couple direct messages last week to get more information. If you see this, and haven't seen those, can you please respond to those messages? I'd like more information about this. You can see your direct messages here by clicking the icon shown here, in the top right corner of this page: This appears to be new malware, and although we've located samples of this malware, there are still a lot of unanswered questions about it. Any help you can provide us would be very welcome. For anyone else reading, you can check for these malicious DNS entries by opening System Preferences and clicking the Network icon. The click the Advanced button in the bottom right corner of the Network pane. In the sheet window that drops down, click the DNS tab, and look at the entries in the DNS Servers list. If you see the malicious DNS entries in that list (82.163.143.135 & 82.163.142.137), you're infected, and I'd like to talk to you as well. Please feel free to respond here or send me a direct message. Link to post Share on other sites More sharing options...
maczen Posted January 15, 2018 ID:1200055 Share Posted January 15, 2018 More info: https://objective-see.com/blog/blog_0x26.html Link to post Share on other sites More sharing options...
Staff treed Posted January 15, 2018 Staff ID:1200062 Share Posted January 15, 2018 8 minutes ago, maczen said: More info: https://objective-see.com/blog/blog_0x26.html Yup, that's a good analysis, but there are still a lot of questions left unanswered, and we need to see a real-world infection to answer them. Link to post Share on other sites More sharing options...
MikeOfMaine Posted January 16, 2018 Author ID:1200555 Share Posted January 16, 2018 treed, Sorry, I was out in the woods for the past two days and just got back into the electronic world. I attached the file once to you privately and will attach it here now also. ForMalwarebytes.txt Link to post Share on other sites More sharing options...
Staff treed Posted January 16, 2018 Staff ID:1200564 Share Posted January 16, 2018 Thanks, Mike! I see one item I'm not familiar with, which I'd like to take a look at. In the Finder, choose Go to Folder from the Go menu. Then, in the window that opens, paste the following path: /Library/LaunchDaemons/ Then click the Go button. In the window that opens, look for an item named "Cyclonica.plist". If you could send that file to me, either here or via direct message, that would be helpful. Link to post Share on other sites More sharing options...
MikeOfMaine Posted January 16, 2018 Author ID:1200572 Share Posted January 16, 2018 (edited) Here is the .plist. I left the username in (I was trying to save her shame Edited January 16, 2018 by MikeOfMaine Link to post Share on other sites More sharing options...
Staff treed Posted January 16, 2018 Staff ID:1200580 Share Posted January 16, 2018 Ooh, yeah, that looks like that's it. Delete that file, then restart the computer and see if you can change the DNS settings at that point. There's also another folder I'd like to see, which contains the malicious executable. This time, go to this path: ~/Library/Application Support/ Look for the folder named "Cyclonica" and zip that up. For that one, definitely please send it to me via direct message rather than posting it here, due to the sensitive nature of the contents. (Note that I'm not sure what else might be in that folder, in addition to the malicious executable, and whether it would be appropriate to post publicly or not.) I'll share the executable with other researchers. Link to post Share on other sites More sharing options...
MikeOfMaine Posted January 16, 2018 Author ID:1200582 Share Posted January 16, 2018 Also note that, yes, this was a lame method of transmission. A popup came up that she clicked and followed through with. Link to post Share on other sites More sharing options...
Staff treed Posted January 16, 2018 Staff ID:1200583 Share Posted January 16, 2018 That was going to be my next question, once we completed the cleanup. I don't suppose you still have whatever she downloaded and opened, do you? Link to post Share on other sites More sharing options...
MikeOfMaine Posted January 16, 2018 Author ID:1200586 Share Posted January 16, 2018 Nope, sorry. I am not sure exactly what it was or the details either. Also, I was able to delete the DNS settings before, but they would eventually change back to the 82.xxxx IP's at some random time after the change. Link to post Share on other sites More sharing options...
Staff treed Posted January 16, 2018 Staff ID:1200632 Share Posted January 16, 2018 That's too bad, but not unexpected. Anyway, back to cleaning up the machine, since that folder you sent over was empty and the executable gone for some reason, there should only be one last thing to do. This malware also adds a certificate from cloudguard.me to the System keychain. That will need to be removed. (The above image was taken from the Objective-See website, which has some good additional coverage of this malware: https://objective-see.com/blog/blog_0x26.html) So open Keychain Access, navigate to the System keychain there, and delete the cloudguard.me certificate. Link to post Share on other sites More sharing options...
OneMadCow Posted January 16, 2018 ID:1200701 Share Posted January 16, 2018 I contacted Simon at Obdev (Little Snitch) and asked about his opinion on this. He suggested adding these rules to block against the DNS servers being installed. " thank you for letting us know about this. I will dig somehow deeper into this issue, but after a brief look I can state the following: This malware called OSX/MaMi is an unsigned Mach-O 64-bit executable - that means, macOS will warn you when you run this executable and Little Snitch will warn you in case this unsigned process wants to make any network connections. Still - the tricky part comes in when you actually run the executable, enter your admin password and therefore allow it to change your system configuration, particularly your DNS configuration. As Little Snitch comes with a factory allow rule for the /usr/sbin/mDNSResponder process which is the central service in macOS that maps computer names to Internet addresses. This rule allows mDNSResponder to connect anywhere. Therefore Little Snitch will possibly not warn you once your DNS servers have been changed, as these connections are usually intended. The article also describes that these populated DNS servers are 82.163.143.135 and 82.163.142.137. So you could add the following two rules to simply deny any connections for system processes (like the mDNSresponder) to these addresses: action: deny direction: incoming priority: regular process: any owner: system destination: 82.163.142.137, 82.163.143.135 port: any protocol: any notes: These IP addresses are used as DNS Servers for the macOS MaMi malware action: deny direction: outgoing priority: regular process: any owner: system destination: 82.163.142.137, 82.163.143.135 port: any protocol: any notes: These IP addresses are used as DNS Servers for the macOS MaMi malware You could simply copy the lines and paste them into the Little Snitch Configuration to create the rules." OneMadCow Los Angeles Link to post Share on other sites More sharing options...
Massimiliano Posted January 22, 2018 ID:1202443 Share Posted January 22, 2018 (edited) Apple would have neutralized OSX / MaMi with the update of MRTConfigData to version 1.28 and XProtectPlistConfigData to version 2098. Check in system information / installations. Sources (Italian websites) Apple has neutralized OSX / MaMi. The latest malware for Mac LiNK: Goodbye OSX / MaMi, Apple MRT 1.28 has already eaten it I also await the recognition by Malwarebytes for more security greetings Edited January 22, 2018 by MAXBAR1 Link to post Share on other sites More sharing options...
alvarnell Posted January 22, 2018 ID:1202468 Share Posted January 22, 2018 Actually, XProtect 2098 does not yet protect against the MaMi infection because the source of the infection has not yet been determined. Link to post Share on other sites More sharing options...
Massimiliano Posted January 30, 2018 ID:1210478 Share Posted January 30, 2018 no news on eliminating this threat? thanks greeting Link to post Share on other sites More sharing options...
Staff treed Posted January 30, 2018 Staff ID:1210702 Share Posted January 30, 2018 Malwarebytes for Mac has been detecting it for a while now. Link to post Share on other sites More sharing options...
alvarnell Posted January 30, 2018 ID:1210760 Share Posted January 30, 2018 If I remember correctly, it started detecting the payload around January 16 or 17, except AFAIK, the attack vector is still unknown. Link to post Share on other sites More sharing options...
Staff treed Posted January 31, 2018 Staff ID:1211045 Share Posted January 31, 2018 Yeah, we know that when you run the malware, it installs itself... but we're no closer to finding the infection vector designed to run the malware in the first place. Nobody that I know of has found it yet. Unfortunately, that's not unusual. Link to post Share on other sites More sharing options...
MdnsRacoon Posted February 1, 2018 ID:1211428 Share Posted February 1, 2018 Careful. On Mac. They are hacking rampantly whoever they are. And perhaps trolling blogs. They are in mdnsresponder and raccoon. Logging information, sites you go to etc. Perhaps more. Many people have expressed concern online but nobody seems to have an answer. They use Apple credentials to hack ports. They might even be getting into the terminal command for some. Whoever they are. They are pros. Little snitch/wireshark will scratch the surface. Link to post Share on other sites More sharing options...
Massimiliano Posted February 1, 2018 ID:1211438 Share Posted February 1, 2018 (edited) Good morning, I received a report from last MdnsRacoon's post How can you notice if you are under this type of attack? And in the eventuality how should one behave? Is there already a remedy? Thank you regards Massimiliano Edited February 1, 2018 by MAXBAR1 Link to post Share on other sites More sharing options...
MdnsRacoon Posted February 1, 2018 ID:1211466 Share Posted February 1, 2018 I located this ip 184.105.247.203 connected. To the mDNSresponder on a MacBook Pro, associated with hundreds of complaints. One person said they hacked and changed his Facebook account password. If they can see that. Imagine all the private photos and messages they hack into. Link to post Share on other sites More sharing options...
Staff treed Posted February 1, 2018 Staff ID:1211480 Share Posted February 1, 2018 2 hours ago, MdnsRacoon said: They are in mdnsresponder and raccoon. I'm not sure what you're referring to, but mDNSResponder and raccoon are both legitimate Apple processes and not malicious. Further, they have no role in this malware. Can you clarify what you have observed? Link to post Share on other sites More sharing options...
MdnsRacoon Posted February 1, 2018 ID:1211492 Share Posted February 1, 2018 43 minutes ago, MdnsRacoon said: I located this ip 184.105.247.203 connected. To the mDNSresponder on a MacBook Pro, associated with hundreds of complaints. One person said they hacked and changed his Facebook account password. If they can see that. Imagine all the 31 minutes ago, treed said: I'm not sure what you're referring to, but mDNSResponder and raccoon are both legitimate Apple processes and not malicious. Further, they have no role in this malware. Can you clarify what you have observed? private photos and messages they hack into. Link to post Share on other sites More sharing options...
MdnsRacoon Posted February 1, 2018 ID:1211493 Share Posted February 1, 2018 Sure I believe they are being used to possibly transmit data to and from a host. Or are being manipulated by other networks. Im not exactly sure what we are dealing with. Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now