LamePyre: The macOS Malware That Captures And Delivers Screenshots To Cyber-Cons

LamePyre: The macOS Malware That Captures And Delivers Screenshots To Cyber-Cons


The list of malware seems to be never ending as it recently welcomed another one in, which goes by the name of OSX.LamePyre and delivers screenshots to the cyber-con behind it.

With no attempts at masking its existence the newly discovered malware is restricted to taking screenshots and running backdoor functions.


Reportedly, last Friday, the malware was revealed to be prevailing in the camouflage of a copy of Discord, a proprietary freeware used by video-gaming communities.   


According to the citing of malware researchers, the disguise was not meant to go further than the initial stage of obscurity and hence was quite plainly perceptible.


The copy of Discord, the malware was found in wasn’t performing its functions at all and hence raised doubts. The reason was believed to be the fact that it was merely an Automator script.

 

Working Of The Malware

The LamePyre runs in a typical way which is the same for every script of this kind. It works on the system in a way that users seem to perceive the generic Automator icon on the menu bar.


A payload written in the ‘Python’ language is then decoded by the script and is run on the victim’s device.


Then the main function of the malware starts, that is, taking pictures, rather screenshots and uploading them on the cyber-con attacker’s “Command and Control” server. (C2)


The aforementioned malware researcher had also come across the point that a part of the Python-written code was fabricated to organize the open source EmPyre backdoor onto the system.


The very above-mentioned backdoor has been found with other malware as well, DarthMiner (macOS) to name one, with cryptocurrency mining abilities.


The poor ability of LamePyre to disguise itself and function as the actual Discord application makes it, like its name, reasonably “lame” as a malware or it could be considered as a soon-to-emerge risk.


As per what the researcher cited, the Discord app’s copy wasn’t even modified appropriately. It didn’t comprise of as much as the launch copy of the Discord chat app and therefore failed miserably at seeming legitimate.


Although, to set-up a launch agent in the code and keep the malicious code working, the author had inserted a special code of the name, “com.apple.systemkeeper.plist”.


In spite of all that’s wrong with the malware, there is a huge probability that before the users get aware of the abnormal behavior of their Discord application, the malware would have done enough damage and would have sent the screenshots.


 There have been quite a fair number of macOS malware attacks this month along with the discovery of a couple of other strains.

“DarthMiner”, the Adobe Zii piracy software, also made it to the list. The Author here had forgotten or rather committed a huge mistake of using the wrong icon which attracted a lot of glances.


“OSX.BadWord” is another macOS malware threat which was delivered through a malicious macro in a Microsoft Word document. The sandbox escape vulnerability was exploited by it and a launch agent was hence fabricated to set-up a “Meterpreter backdoor”.


Being a duplicate creation, OSX.BadWord differs from the original only by the backdoor it employs. The con of a maker, did neither want recognition nor a proper malware.

Leave a Reply