LamePyre: The macOS Malware That Captures
And Delivers Screenshots To Cyber-Cons
The list of malware
seems to be never ending as it recently welcomed another one in, which goes by
the name of OSX.LamePyre and delivers screenshots to the cyber-con behind it.
With no attempts at masking its existence
the newly discovered malware is restricted to taking screenshots and running
backdoor functions.
Reportedly, last
Friday, the malware was revealed to be prevailing in the camouflage of a copy
of Discord, a proprietary freeware used by video-gaming communities.
According to
the citing of malware researchers, the disguise was not meant to go further
than the initial stage of obscurity and hence was quite plainly perceptible.
The copy of
Discord, the malware was found in wasn’t performing its functions at all and
hence raised doubts. The reason was believed to be the fact that it was merely
an Automator script.
The LamePyre
runs in a typical way which is the same for every script of this kind. It works
on the system in a way that users seem to perceive the generic Automator icon
on the menu bar.
A payload
written in the ‘Python’ language is then decoded by the script and is run on
the victim’s device.
Then the main
function of the malware starts, that is, taking pictures, rather screenshots
and uploading them on the cyber-con attacker’s “Command and Control” server.
(C2)
The
aforementioned malware researcher had also come across the point that a part of
the Python-written code was fabricated to organize the open source EmPyre backdoor
onto the system.
The very above-mentioned
backdoor has been found with other malware as well, DarthMiner (macOS) to name
one, with cryptocurrency mining abilities.
The poor
ability of LamePyre to disguise itself and function as the actual Discord application
makes it, like its name, reasonably “lame” as a malware or it could be
considered as a soon-to-emerge risk.
As per what
the researcher cited, the Discord app’s copy wasn’t even modified
appropriately. It didn’t comprise of as much as the launch copy of the Discord
chat app and therefore failed miserably at seeming legitimate.
Although, to
set-up a launch agent in the code and keep the malicious code working, the
author had inserted a special code of the name, “com.apple.systemkeeper.plist".
In spite of
all that’s wrong with the malware, there is a huge probability that before the
users get aware of the abnormal behavior of their Discord application, the
malware would have done enough damage and would have sent the screenshots.
There have been quite a fair number of
macOS malware attacks this month along with the discovery of a couple of other
strains.
“DarthMiner”,
the Adobe Zii piracy software, also made it to the list. The Author here had
forgotten or rather committed a huge mistake of using the wrong icon which
attracted a lot of glances.
“OSX.BadWord”
is another macOS malware threat which was delivered through a malicious macro
in a Microsoft Word document. The sandbox escape vulnerability was exploited by
it and a launch agent was hence fabricated to set-up a “Meterpreter backdoor”.
Being a
duplicate creation, OSX.BadWord differs from the original only by the backdoor
it employs. The con of a maker, did neither want recognition nor a proper malware.
