LamePyre

LamePyre was discovered early December 2018 by Malwarebytes’s threat researcher, Adam Thomas. The malware is disguised as a non-functioning copy of Discord- a chat app for gamers. In actuality, it is an Automator script that decodes and executes a Python payload. Once running, the malware frequently captures screenshots of the host’s computer and sends them back to its command-and-control (C2) server. Additionally, the script sets up an EmPyre backdoor and a launch agent called com.apple.systemkeeper.plist to retain persistence.

The malware was dubbed LamePyre because it does not even attempt to trick the user with a fake Discord interface, as many other malware variants do. Instead, only a gear icon appears in the top menu bar, which is normal for any Automator script. Nothing else happens. The malware does not have a fake icon displayed when it runs, just the Automator icon. Still, if the malware is not detected quickly enough, screenshots will be delivered to the threat actor.

LamePyre is limited in its capabilities and appears to have been created by someone with little skill, or, perhaps, is still under development.

Technical Details and Reporting

  • Malwarebytes Labs provides more information on LamePyre and its similarities to DarthMiner here.

  • December 2018: New LamePyre macOS Malware Sends Screenshots to Attacker. (BleepingComputer)

MacOS MalwareNJCCIClamepyre