MaMi Malware detected using deep learning

Jan 16, 2018

 

About MaMi Malware

With Apple’s desktop operating system the 2nd largest in the market (Microsoft Windows being 1st with a market share of around 82.7%), it is becoming increasingly tempting for hackers and cybercriminals to target them.

Several days ago, a new MacOS malware, the first of 2018, named MaMi, was discovered in the wild. The malware was initially discovered through a post by a teacher complaining her DNS has been hijacked.

Further analysis by Patrick Wardle revealed that the malware which is responsible for DNS hijacking is named MaMi, and is an unsigned 64-bit Mach-O. According to Wardle, the malware was available to download from hxxp://regardens.info. A WHOIS search on this domain revealed additional domains from which the malware can be downloaded: hxxp://definitial.info, hxxp://humption.info, and hxxp://angeing.info.

At the time of discovery the malware was fully undetected in VirusTotal.

After a preliminary investigation, it seems that the malware acquires root privileges to install a root certificate downloaded from the web, with permissions to modify the DNS address. However, the potential of the malware is much greater since it includes additional capabilities such as taking screenshots, executing sensitive commands and monitoring mouse clicks.

In terms of evasion, it seems that the malware leaves no trace and removes itself from the system after running, while obviously the DNS modifications remain persistent.

Furthermore, MaMi also contains some encrypted configuration data to deter researchers from analyzing its mode of operation.

MacOS Malware Trends

Although MacOS malware is still rare compared to Windows malware, the discovery of MaMi continues the trend of growth of MacOS malware – which grew more than 200% in 2017.

Some notable MacOS malware discovered in 2017 include:

  • Proton RAT, an advanced RAT which was offered for sale in undergroundcybercrime markets, and was discovered in the wild following several different attack campaigns.
  • DOK, a banking trojan which attacks users via a phishing email, and monitors the users’ HTTP and HTTPS traffic.
  • XAgent, an advanced backdoor written and used by APT28.

The growth in MacOS malware is expected to continue as hackers and cyber criminals search for new sources of revenue, and nation state actors spy on valuable targets.

MaMi Malware Detected by Using Deep Learning

As deep learning is inspired by the brain’s ability to learn, it instinctively identifies an object. Bringing this approach to cybersecurity results in a deep learning solution’s ability to identify known and unknown malware with unmatched accuracy.

By using these unique deep learning capabilities, Deep Instinct detected the unknown MacOS malware, as well as the MacOS malware families listed above.

 

 

References

https://objective-see.com/blog/blog_0x26.html

https://forums.malwarebytes.com/topic/218198-dns-hijacked/

https://defintel.com/blog/index.php/2017/09/more-mac-malware-thus-far-in-2017-than-any-other-year.html

Learn how deep learning is used to classify malware types in our new whitepaper >>

banner-2