MaMi Mac malware and DNS

Updated on September 9, 2020 at 12:22 am

I was reading about some new Mac malware called MaMi which essentially hijacks DNS requests by changing the DNS settings on your Mac and then sending you to places you don’t want to go.

These are the settings like 8.8.8.8 which sends DNS requests to Google which in turn directs your Mac to the appropriate site.

The reason I mention this and I tend to mention it every time DNS hijacking shows up is because there is an easy way to prevent the attack from being successful even if you get infected with the malware.

Assuming you have a firewall/router than can block direct DNS requests to the internet, you should be able to simply create a rule that drops any direct requests to a malicious DNS server. In this case the malware is attempting to send those requests to 82.163.143.135 and 82.163.142.137.

Most firewall/routers can actually proxy the DNS request for you without having your Mac send them directly to the internet. For example, your firewall might have an internal IP address of 192.168.1.1. In this scenario, your DNS settings on your Mac would be 192.168.1.1 instead of something like 8.8.8.8 which would send the requests directly to Google for resolving.

Log event of firewall rule blocking direct DNS requests to Google (8.8.8.8).

In this case, we have an android device that is most likely hard coded to use Google DNS (obviously since it’s android) and trying to contact the Google DNS server directly instead of being proxied by the firewall. If it had been malicious, then the request would have been blocked.