OSX - mami

A bit older but a fun piece of malware that I ran into this weekend.

Easiest ways to detect:

• These IP addresses as DNS servers: 82.163.143․135 and 82.163.142․137.
• Finding a root CA for the domain cloudguard[dot]me
• unusual files in /Library/LaunchDaemons and ~/Library/Application Support,

For network searching:

this blog has a list of domains that can be researched to look for traffic over port 80.

References:

• https://objective-see.com/blog/blog_0x26.html 
• https://www.cultofmac.com/523085/undetectable-osx-mami-malware-discovered-targeting-macs/
•