Patrick Wardle, of Objective-See, has just reported what he believes to be new malware running on macOS, which he has dubbed OSX/MaMi.
It isn’t yet clear how this malware is spread. However, the executable is unsigned, so should (in theory) be rejected by its initial Gatekeeper check, unless it is delivered as a payload by a more ingenious installer which sneaks it past the unwary user.
His analysis shows that MaMi’s primary purpose is to hijack the Domain Name service (DNS). It does this by replacing /Library/Preferences/SystemConfiguration/preferences.plist and a System root certificate authority. After that, it might use that root certificate to perform a man-in-the-middle attack to steal passwords and other protected information.
The replacement Root certificate authority is claimed to originate from ‘GreenTeam Internet, Ltd.’, in the country ‘IL’, state ‘Gush Dan’, and locality ‘Hertzilia’, with a common name of ‘cloudguard.me’.
The System Preferences replacement sets the DNS server (viewed in the Network pane) to 126.96.36.199 and 188.8.131.52. These are owned by Daniel Engelman and Eldar Retter of GREENTEAM-NET in Tel-Aviv, Israel, and appear to be the greenteam.net DNS servers. This makes it possible that this malware originates from a phishing attack undertaken for purposes of espionage.
There are also indications that the malware might be capable of taking screenshots, monitoring mouse clicks, and running AppleScripts, although Patrick was unable to discover any code which used those features.
To check whether your Mac has become infected by this, you can therefore inspect your DNS settings in the Network pane, look for the replacement root certificate using Keychain Access pointed at your System keychain, and by checking /Library/Preferences/SystemConfiguration/preferences.plist
At the time that he wrote his detailed report on MaMi, no virus detection software appeared able to detect this malware. Until it can, you should be particularly wary of any email, web downloads, etc., which might try to install it on your Mac.