MacOS malware targets crypto-discussing Slack, Discord users

Getting your Trinity Audio player ready...

Security researchers have uncovered a new type of malware aimed at those using MacOS devices to discuss cryptocurrencies.

The malware attacks users participating in cryptocurrency discussions on chat apps Discord and Slack, with hackers gaining access to conversations and posing as administrators to share malicious code. The code, identified by Sans Institute security researcher Remco Verhoef, connects to a C&C (Command and Control) server run by the hackers, which allows them to run code on the user’s MacOS device remotely. The malware also harvests passwords, in addition to seizing control of the victim’s device.

Verhoef suggested the hack server appeared to be situated in the Netherlands, saying, “CrownCloud, a German-based provider is the owner of the block of 185.243.115.230 and the server appears to be located in the Netherlands.”

Patrick Wardle, founder at Digita Security, described the malware as “dumb.”

“The capabilities are rather limited (and thus rather dumb), it’s trivial to detect at every step (that dumb)…and finally, the malware saves the user’s password to dumpdummy…I guess the take away here is (yet again) the built-in macOS malware mitigations should never be viewed as a panacea,” Wardle said in a blog post.

The dean of Research at the Sans Institute, Dr. Johannes Ullrich, said the best protection for users was to be wary of the software they install. In an interview with SC Media UK, Ullrich said, “This is probably the number one defence in this particular case, since anti-malware does not protect users until a signature is added to it. OS X tools like ‘LittleSnitch’ can also warn the user when new software like this establishes outbound network connections.”

Meanwhile, Alex Hinchliffe, an analyst at Unit 42, Palo Alto Networks, warned the “crude” malware could be expected to improve over time.

“We should expect such attacks to improve over time. As for organisations, they have some benefits in that they can typically control their network and environment more tightly than home users,” Hinchliffe told the UK news outlet. “In-house instances of such chat groups therefore can be rigorously checked for membership and the content being shared. Multi-factor authentication should be used to ensure that leaked or stolen credentials do not allow simply anyone to join an organisations chat room.”