Apple's MacOS is known to be one of the more secure operating systems out there. However, due to its increasing popularity and expanding user base, hackers and cybercriminals are starting to victimize iMacs and MacBooks more and more.
Macs may be safer than Windows machines (for now) but as evidenced by reports of external hacking peripherals like the PCILeech, backdoor trojans like Eleanor, webcam hijackers and even cross-platform threats like Mokes, they are certainly not completely immune from malicious software attacks.
New Mac malware hijacks your DNS
A discovery from Mac OS security blog Objective-See has revealed a new macOS DNS hijacker called OSX/Mami. Aside from doing the usual malware-y routines, like stealing your information and using your computer for generally shady stuff, OSX/Mami is still undetectable by security software.
Even worse, DNS hijackers are quite worrisome since these change your DNS address settings so the bad guys can route all your web traffic through servers of their choosing.
(Note: DNS or the Domain Name System is the way the internet converts readable names to numbers commonly referred to as a website's IP address. DNS servers basically work as the internet's phone books.)
By forcing your traffic through their prying eyes, they can siphon out your personal information, login credentials, passwords, redirect you to fake pages and phishing websites, and even use your computer for cryptojacking.
According to Objective See's Patrick Warble, aside from DNS hijacking, OSX/Mami has other abilities like:
- Taking screenshots
- Generating simulated mouse events
- Perhaps persisting as a launch item
- Downloading and uploading files
- Executing commands
Although the author, the vector and the ultimate motive of the OSX/Mami malware are still unclear, Warble believes that it is being distributed through the usual channels like poisoned emails, fake security alerts and updates, or via social engineering/ phishing scams.
How can you tell if you are infected?
During its discovery, OSX/Mami was still marked as clean by all 59 anti-virus engines on VirusTotal. Hopefully, this has changed now that the word is out.
If you want to check if your Mac is infected, open System Preferences, then select Network. Click on the Advanced button and check if the DNS tab has these entries: 220.127.116.11 and 18.104.22.168. If you do, then your computer has been hijacked!
Note: Also check for the presence of the malicious cloudguard.me certificate in your System Keychain.
Objective-See warns that DNS hijackers can oftentimes install other malware or have an attacker remote control your computer without your knowledge so if you want to be totally safe, you may want to reinstall your macOS operating system. However, in most cases, removing the malicious DNS servers and deleting the malicious cloudguard.me certificate should be enough.
How to remove the malicious DNS servers:
- Open System Preferences, then select Network.
- Click on the Advanced button and check the DNS tab.
- Highlight each malicious address (22.214.171.124 and 126.96.36.199) then click the minus "-" button to remove.
How to remove the malicious certificate
- In your Launchpad (the rocket icon on your dock), go to the Other folder to select Keychain Access.
- Click on System in the Keychains sidebar, then try locating the cloudguard.me certificate. Right-click on it then select "Delete" to remove it.
Have a question about Macs? Kim has your answer! Click here to send Kim a question, she may use it and answer it on her radio show. The Kim Komando Show is broadcast on over 450 stations. Click here to find the show time in your area.
DNS system that is designed to protect you
Having a reliable and dependable DNS system is critical to your safety. If you want to further protect your systems from rogue websites and bad links, here's Kim's security pick. Click here to read more about the free Quad9 DNS service.