Jump to content

Recommended Posts

I am helping a fellow teacher.  She accidentally installed something and her DNS now appears to be hacked.

Malwarebytes found "MyCoupon" but that was all.  I manually removed the offending DNS entries (82.163.143.135 & 82.163.142.137) but they keep coming back.  I don't see any extensions, startup items, or other obvious signs of what is going wrong.

I tried to generate a report, but there is no "Support" option under help on the version on her laptop.

Thank you,

Mike

Share this post


Link to post
Share on other sites

Mike,

I sent you a couple direct messages last week to get more information. If you see this, and haven't seen those, can you please respond to those messages? I'd like more information about this. You can see your direct messages here by clicking the icon shown here, in the top right corner of this page:

5a5c9cd1c4244_ScreenShot2018-01-15at7_20_17AM.png.c4469d6d7abe98ca49b8068effe8e1dc.png

This appears to be new malware, and although we've located samples of this malware, there are still a lot of unanswered questions about it. Any help you can provide us would be very welcome.

For anyone else reading, you can check for these malicious DNS entries by opening System Preferences and clicking the Network icon. The click the Advanced button in the bottom right corner of the Network pane. In the sheet window that drops down, click the DNS tab, and look at the entries in the DNS Servers list. If you see the malicious DNS entries in that list (82.163.143.135 & 82.163.142.137), you're infected, and I'd like to talk to you as well. Please feel free to respond here or send me a direct message.

Share this post


Link to post
Share on other sites

Thanks, Mike!

I see one item I'm not familiar with, which I'd like to take a look at. In the Finder, choose Go to Folder from the Go menu. Then, in the window that opens, paste the following path:

/Library/LaunchDaemons/

Then click the Go button.

In the window that opens, look for an item named "Cyclonica.plist". If you could send that file to me, either here or via direct message, that would be helpful.

Share this post


Link to post
Share on other sites

Here is the .plist.  I left the username in (I was trying to save her shame ;)

 

Edited by MikeOfMaine

Share this post


Link to post
Share on other sites

Ooh, yeah, that looks like that's it. Delete that file, then restart the computer and see if you can change the DNS settings at that point.

There's also another folder I'd like to see, which contains the malicious executable. This time, go to this path:

~/Library/Application Support/

Look for the folder named "Cyclonica" and zip that up. For that one, definitely please send it to me via direct message rather than posting it here, due to the sensitive nature of the contents. (Note that I'm not sure what else might be in that folder, in addition to the malicious executable, and whether it would be appropriate to post publicly or not.) I'll share the executable with other researchers.

Share this post


Link to post
Share on other sites

Also note that, yes, this was a lame method of transmission.  A popup came up that she clicked and followed through with.

Share this post


Link to post
Share on other sites

That was going to be my next question, once we completed the cleanup. I don't suppose you still have whatever she downloaded and opened, do you?

Share this post


Link to post
Share on other sites

Nope, sorry.

I am not sure exactly what it was or the details either.  

Also, I was able to delete the DNS settings before, but they would eventually change back to the 82.xxxx IP's at some random time after the change.

Share this post


Link to post
Share on other sites

That's too bad, but not unexpected.

Anyway, back to cleaning up the machine, since that folder you sent over was empty and the executable gone for some reason, there should only be one last thing to do. This malware also adds a certificate from cloudguard.me to the System keychain. That will need to be removed.

cert.png.784b791ef375dfdb43cb9f6634f990ef.png

(The above image was taken from the Objective-See website, which has some good additional coverage of this malware: https://objective-see.com/blog/blog_0x26.html)

So open Keychain Access, navigate to the System keychain there, and delete the cloudguard.me certificate.

Share this post


Link to post
Share on other sites

I contacted Simon at Obdev (Little Snitch) and asked about his opinion on this. He suggested adding these rules to block against the DNS servers being installed.

"

thank you for letting us know about this.
 
I will dig somehow deeper into this issue, but after a brief look I can state the following:
 
This malware called OSX/MaMi is an unsigned Mach-O 64-bit executable - that means, macOS will warn you when you run this executable and Little Snitch will warn you in case this unsigned process wants to make any network connections.
 
Still - the tricky part comes in when you actually run the executable, enter your admin password and therefore allow it to change your system configuration, particularly your DNS configuration.
 
As Little Snitch comes with a factory allow rule for the /usr/sbin/mDNSResponder process which is the central service in macOS that maps computer names to Internet addresses. This rule allows mDNSResponder to connect anywhere.
 
Therefore Little Snitch will possibly not warn you once your DNS servers have been changed, as these connections are usually intended.
 
The article also describes that these populated DNS servers are 82.163.143.135 and 82.163.142.137.
 
So you could add the following two rules to simply deny any connections for system processes (like the mDNSresponder) to these addresses:
 
 
action: deny
direction: incoming
priority: regular
process: any
owner: system
destination: 82.163.142.137, 82.163.143.135
port: any
protocol: any
notes: These IP addresses are used as DNS Servers for the macOS MaMi malware
 
action: deny
direction: outgoing
priority: regular
process: any
owner: system
destination: 82.163.142.137, 82.163.143.135
port: any
protocol: any
notes: These IP addresses are used as DNS Servers for the macOS MaMi malware
 
 
You could simply copy the lines and paste them into the Little Snitch Configuration to create the rules."
 
OneMadCow
Los Angeles

Share this post


Link to post
Share on other sites

Apple would have neutralized OSX / MaMi with the update of MRTConfigData to version 1.28 and XProtectPlistConfigData to version 2098.
Check in system information / installations.

Sources (Italian websites)

Apple has neutralized OSX / MaMi.  The latest malware for Mac

LiNK: Goodbye OSX / MaMi, Apple MRT 1.28 has already eaten it

I also await the recognition by Malwarebytes for more security

greetings

 

Edited by MAXBAR1

Share this post


Link to post
Share on other sites

Actually, XProtect 2098 does not yet protect against the MaMi infection because the source of the infection has not yet been determined.

Share this post


Link to post
Share on other sites

If I remember correctly, it started detecting the payload around January 16 or 17, except AFAIK, the attack vector is still unknown. 

Share this post


Link to post
Share on other sites

Yeah, we know that when you run the malware, it installs itself... but we're no closer to finding the infection vector designed to run the malware in the first place. Nobody that I know of has found it yet. Unfortunately, that's not unusual.

Share this post


Link to post
Share on other sites

Careful. On Mac. They are hacking rampantly whoever they are. And perhaps trolling blogs. They are in mdnsresponder and raccoon. Logging information, sites you go to etc. Perhaps more. Many people have expressed concern online but nobody seems to have an answer. They use Apple credentials to hack ports. They might even be getting into the terminal command for some. Whoever they are. They are pros. Little snitch/wireshark will scratch the surface. 

Share this post


Link to post
Share on other sites

Good morning,
I received a report from last  MdnsRacoon's post
How can you notice if you are under this type of attack?
And in the eventuality how should one behave? Is there already a remedy?
Thank you
regards
Massimiliano

Edited by MAXBAR1

Share this post


Link to post
Share on other sites

I located this ip 184.105.247.203 connected. To the  mDNSresponder on a MacBook Pro, associated with hundreds of complaints. One person said they hacked and changed his Facebook account password. If they can see that. Imagine all the private photos and messages they hack into.

Share this post


Link to post
Share on other sites
2 hours ago, MdnsRacoon said:

They are in mdnsresponder and raccoon.

I'm not sure what you're referring to, but mDNSResponder and raccoon are both legitimate Apple processes and not malicious. Further, they have no role in this malware.

Can you clarify what you have observed?

Share this post


Link to post
Share on other sites
43 minutes ago, MdnsRacoon said:

I located this ip 184.105.247.203 connected. To the  mDNSresponder on a MacBook Pro, associated with hundreds of complaints. One person said they hacked and changed his Facebook account password. If they can see that. Imagine all the

31 minutes ago, treed said:

I'm not sure what you're referring to, but mDNSResponder and raccoon are both legitimate Apple processes and not malicious. Further, they have no role in this malware.

Can you clarify what you have observed?

private photos and messages they hack into.

 

Share this post


Link to post
Share on other sites

Sure I believe they are being used to possibly transmit data to and from a host. Or are being manipulated by other networks. Im not exactly sure what we are dealing with.  

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.