MaMi

MaMi is a DNS hijacker that can exploit devices running macOS. The malware is distributed via an unsigned Mach-O 64-bit binary - which, at the time of writing, isn't detected by by scan engines such as VirusTotal. It was discovered by Mac security expert Patrick Wardle after a teacher reported the infection on her device. The two DNS servers the malware adds to infected hosts are: 82[.]163[.]143[.]135 and 82[.]163[.]142[.]137.

Researchers suspect it is being developed into a remote access trojan (RAT) as it appears the malware has the capacity to:

Install a local certificate,
set up custom DNS settings,
take screenshots,
hijack mouse clicks,
run AppleScripts,
get OS launch persistence,
download and upload files, and
execute commands.

However, at the time of writing it can only:

Get boot persistence,
install a local certificate, and
set up custom DNS server settings.

Technical Details

Wardle Provides technical details on MaMi here.

MacOS MalwareNJCCICJanuary 12, 2018mami

MaMi

NJ CYBERSECURITY & COMMUNICATIONS INTEGRATION CELL

PO Box 091

Trenton, NJ 08625

CONTACT US

Email: njccic@cyber.nj.gov

Phone: 609.963.6900 x 7865