There’s a new malware threat in the MacOS ecosystem called OSX.LamePyre. If you haven’t heard of it yet, it belongs on your radar.
At the moment, industry experts agree that it’s more of a crude work in progress. Unfortunately, the danger of crude works in progress is that the hackers continue to develop them, making them a threat that gets worse over time.
In this case, LamePyre is limited to maintaining a back door into the infected system and taking screenshots at periodic intervals and sends them back to the hacker controlling the malware.
The only instance of LamePyre found in the wild so far is one that’s disguised as the Discord messaging app, which is widely used by gamers. Unfortunately, this poisoned version of Discord doesn’t actually function. It’s simply a shell that contains an Automator script and displays the generic Automator icon in the menu bar when it’s running.
When a user downloads the poisoned version of Discord, the Automator script decodes the malware payload, which is written in Python. Then, the malware begins taking screenshots at predefined intervals and sending them back to the hacker’s command and control server.
There are two risks then: First, the hacker who controls the script will see pretty much everything you’re working on. Second, since it opens a channel between the infected machine and the c2 server, it allows the hacker to inject additional malware onto the system, at will. Not good.
If you or anyone in your employ uses the Discord messaging app, this is an emerging threat to watch. Fortunately, it’s easily removed and dealt with (for now), but that could easily change as whomever created the app can easily build it out more completely and make it a significantly worse threat.