Remco Verhoef, founder of network security firm DutchSec, posted about the malware on June 30th in a blog post for the information security and cybersecurity training Sans Institute.
According to Verhoef, the attacks impersonate administrators or “key people” in crypto-related chats, and then share “small snippets” that are downloaded and execute a malicious binary. SC Media UK notes that the malware can steal user passwords and store them on the local machine as well, which Verhoef identifies as German provider CrownCloud’s apparently Netherland-based server.
Patrick Wardle of Digital Security posted on Objective-See on June 29 about the Mac-targeted malware attacks, writing that “apparently attackers are asking users to infect themselves” with a “rather massive machO binary.”
Wardle concludes his blog post by naming the malware “OSX.Dummy” for a variety of reasons that he lists in bullet points:
- “the infection method is dumb
- the massive size of the binary is dumb
- the persistence mechanism is lame (and thus also dumb)
- the capabilities are rather limited (and thus rather dumb)
- it's trivial to detect at every step (that dumb)
- ...and finally, the malware saves the user's password to dumpdummy”
According to threat intelligence analyst at Unit 42, Palo Alto Networks, Alex Hinchliffe, attacks like this will “improve over time,” and multi-factor authentication should be used for joining an organization’s chat room.
Earlier today, reports broke of a new attack on Bitcoin (BTC) users — monitoring 2.3 million targets — which consists of gaining control of Windows clipboards to swap out a user’s BTC address for that of the attacker. And last week, a cybersecurity report from McAfee Labs stated that cryptojacking instances have risen 629 percent in the first quarter of 2018.