The third malware strain targeting MacOS this month has been discovered and dubbed LamePyre. Although it appears to still be under development, the malware is able to perform a few functions. LamePyre traps its victims by showing up as a duplicate of the Discord app utilized by gamers. In actuality, it is only a shell which appears as the run of the mill Automator symbol in the menu bar on MacOS when kept running by the user.
The content utilized in LamePyre first deciphers its payload and afterward makes its rounds to take screen captures and send them to its C2 server. To keep the backdoor and screenshot functionality running effectively, the script includes a launch agent with the name com.apple.systemkeeper.plist, but it does not disguise itself well enough to look like a copy of Discords messenger.
“This malware is really unconvincing, as it does nothing at all to pretend that it is a legit Discord app. It is not a maliciously-modified copy of the Discord app. It doesn’t even include and launch a copy of the Discord app, which it could do easily as a subterfuge to make the app look legit. For that matter, it doesn’t even use a convincing icon,” said a researcher.
Binary Defense Recommendation: Although this strain of malware looks to be in its beginning stages it is still important for users to pay attention to the apps they’re downloading and the permissions they are giving them. At the time of writing this article the functionality of this malware is low but that does not mean it can’t be modified and programmed to perform more significant tasks.