MaMi is a DNS hijacker that can exploit devices running macOS. The malware is distributed via an unsigned Mach-O 64-bit binary - which, at the time of writing, isn't detected by by scan engines such as VirusTotal. It was discovered by Mac security expert Patrick Wardle after a teacher reported the infection on her device. The two DNS servers the malware adds to infected hosts are: 82[.]163[.]143[.]135 and 82[.]163[.]142[.]137.
Researchers suspect it is being developed into a remote access trojan (RAT) as it appears the malware has the capacity to:
- Install a local certificate,
- set up custom DNS settings,
- take screenshots,
- hijack mouse clicks,
- run AppleScripts,
- get OS launch persistence,
- download and upload files, and
- execute commands.
However, at the time of writing it can only:
- Get boot persistence,
- install a local certificate, and
- set up custom DNS server settings.
Technical Details
- Wardle Provides technical details on MaMi here.
