I contacted Simon at Obdev (Little Snitch) and asked about his opinion on this. He suggested adding these rules to block against the DNS servers being installed.
"
thank you for letting us know about this.
I will dig somehow deeper into this issue, but after a brief look I can state the following:
This malware called OSX/MaMi is an unsigned Mach-O 64-bit executable - that means, macOS will warn you when you run this executable and Little Snitch will warn you in case this unsigned process wants to make any network connections.
Still - the tricky part comes in when you actually run the executable, enter your admin password and therefore allow it to change your system configuration, particularly your DNS configuration.
As Little Snitch comes with a factory allow rule for the /usr/sbin/mDNSResponder process which is the central service in macOS that maps computer names to Internet addresses. This rule allows mDNSResponder to connect anywhere.
Therefore Little Snitch will possibly not warn you once your DNS servers have been changed, as these connections are usually intended.
The article also describes that these populated DNS servers are 82.163.143.135 and 82.163.142.137.
So you could add the following two rules to simply deny any connections for system processes (like the mDNSresponder) to these addresses:
action: deny
direction: incoming
priority: regular
process: any
owner: system
destination: 82.163.142.137, 82.163.143.135
port: any
protocol: any
notes: These IP addresses are used as DNS Servers for the macOS MaMi malware
action: deny
direction: outgoing
priority: regular
process: any
owner: system
destination: 82.163.142.137, 82.163.143.135
port: any
protocol: any
notes: These IP addresses are used as DNS Servers for the macOS MaMi malware
You could simply copy the lines and paste them into the Little Snitch Configuration to create the rules."
OneMadCow
Los Angeles