MaMi

MaMi is a DNS hijacker that can exploit devices running macOS. The malware is distributed via an unsigned Mach-O 64-bit binary - which, at the time of writing, isn't detected by by scan engines such as VirusTotal. It was discovered by Mac security expert Patrick Wardle after a teacher reported the infection on her device. The two DNS servers the malware adds to infected hosts are: 82[.]163[.]143[.]135 and 82[.]163[.]142[.]137.

Researchers suspect it is being developed into a remote access trojan (RAT) as it appears the malware has the capacity to:

• Install a local certificate,
• set up custom DNS settings,
• take screenshots,
• hijack mouse clicks,
• run AppleScripts,
• get OS launch persistence,
• download and upload files, and
• execute commands.

However, at the time of writing it can only:

• Get boot persistence,
• install a local certificate, and
• set up custom DNS server settings.

Technical Details

• Wardle Provides technical details on MaMi here.