Recommended Posts

I am helping a fellow teacher.  She accidentally installed something and her DNS now appears to be hacked.

Malwarebytes found "MyCoupon" but that was all.  I manually removed the offending DNS entries (82.163.143.135 & 82.163.142.137) but they keep coming back.  I don't see any extensions, startup items, or other obvious signs of what is going wrong.

I tried to generate a report, but there is no "Support" option under help on the version on her laptop.

Thank you,

Mike

Share this post


Link to post
Share on other sites

Mike,

I sent you a couple direct messages last week to get more information. If you see this, and haven't seen those, can you please respond to those messages? I'd like more information about this. You can see your direct messages here by clicking the icon shown here, in the top right corner of this page:

5a5c9cd1c4244_ScreenShot2018-01-15at7_20_17AM.png.c4469d6d7abe98ca49b8068effe8e1dc.png

This appears to be new malware, and although we've located samples of this malware, there are still a lot of unanswered questions about it. Any help you can provide us would be very welcome.

For anyone else reading, you can check for these malicious DNS entries by opening System Preferences and clicking the Network icon. The click the Advanced button in the bottom right corner of the Network pane. In the sheet window that drops down, click the DNS tab, and look at the entries in the DNS Servers list. If you see the malicious DNS entries in that list (82.163.143.135 & 82.163.142.137), you're infected, and I'd like to talk to you as well. Please feel free to respond here or send me a direct message.

Share this post


Link to post
Share on other sites

Thanks, Mike!

I see one item I'm not familiar with, which I'd like to take a look at. In the Finder, choose Go to Folder from the Go menu. Then, in the window that opens, paste the following path:

/Library/LaunchDaemons/

Then click the Go button.

In the window that opens, look for an item named "Cyclonica.plist". If you could send that file to me, either here or via direct message, that would be helpful.

Share this post


Link to post
Share on other sites

Ooh, yeah, that looks like that's it. Delete that file, then restart the computer and see if you can change the DNS settings at that point.

There's also another folder I'd like to see, which contains the malicious executable. This time, go to this path:

~/Library/Application Support/

Look for the folder named "Cyclonica" and zip that up. For that one, definitely please send it to me via direct message rather than posting it here, due to the sensitive nature of the contents. (Note that I'm not sure what else might be in that folder, in addition to the malicious executable, and whether it would be appropriate to post publicly or not.) I'll share the executable with other researchers.

Share this post


Link to post
Share on other sites

That was going to be my next question, once we completed the cleanup. I don't suppose you still have whatever she downloaded and opened, do you?

Share this post


Link to post
Share on other sites

Nope, sorry.

I am not sure exactly what it was or the details either.  

Also, I was able to delete the DNS settings before, but they would eventually change back to the 82.xxxx IP's at some random time after the change.

Share this post


Link to post
Share on other sites

That's too bad, but not unexpected.

Anyway, back to cleaning up the machine, since that folder you sent over was empty and the executable gone for some reason, there should only be one last thing to do. This malware also adds a certificate from cloudguard.me to the System keychain. That will need to be removed.

cert.png.784b791ef375dfdb43cb9f6634f990ef.png

(The above image was taken from the Objective-See website, which has some good additional coverage of this malware: https://objective-see.com/blog/blog_0x26.html)

So open Keychain Access, navigate to the System keychain there, and delete the cloudguard.me certificate.

Share this post


Link to post
Share on other sites

I contacted Simon at Obdev (Little Snitch) and asked about his opinion on this. He suggested adding these rules to block against the DNS servers being installed.

"

thank you for letting us know about this.
 
I will dig somehow deeper into this issue, but after a brief look I can state the following:
 
This malware called OSX/MaMi is an unsigned Mach-O 64-bit executable - that means, macOS will warn you when you run this executable and Little Snitch will warn you in case this unsigned process wants to make any network connections.
 
Still - the tricky part comes in when you actually run the executable, enter your admin password and therefore allow it to change your system configuration, particularly your DNS configuration.
 
As Little Snitch comes with a factory allow rule for the /usr/sbin/mDNSResponder process which is the central service in macOS that maps computer names to Internet addresses. This rule allows mDNSResponder to connect anywhere.
 
Therefore Little Snitch will possibly not warn you once your DNS servers have been changed, as these connections are usually intended.
 
The article also describes that these populated DNS servers are 82.163.143.135 and 82.163.142.137.
 
So you could add the following two rules to simply deny any connections for system processes (like the mDNSresponder) to these addresses:
 
 
action: deny
direction: incoming
priority: regular
process: any
owner: system
destination: 82.163.142.137, 82.163.143.135
port: any
protocol: any
notes: These IP addresses are used as DNS Servers for the macOS MaMi malware
 
action: deny
direction: outgoing
priority: regular
process: any
owner: system
destination: 82.163.142.137, 82.163.143.135
port: any
protocol: any
notes: These IP addresses are used as DNS Servers for the macOS MaMi malware
 
 
You could simply copy the lines and paste them into the Little Snitch Configuration to create the rules."
 
OneMadCow
Los Angeles

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.