The third malware strain targeting MacOS this month has been discovered and dubbed LamePyre. Although it appears to still be under development, the malware is able to perform a few functions. LamePyre traps its victims by showing up as a duplicate of the Discord app utilized by gamers. In actuality, it is only a shell which appears as the run of the mill Automator symbol in the menu bar on MacOS when kept running by the user. The content utilized in LamePyre first deciphers its payload and afterward makes its rounds to take screen captures and send them to its C2 server. To keep the backdoor and screenshot functionality running effectively, the script includes a launch agent with the name com.apple.systemkeeper.plist, but it does not disguise itself well enough to look like a copy of Discords messenger. “This malware is really unconvincing, as it does nothing at all to pretend that it is a legit Discord app. It is not a maliciously-modified copy of the Discord app. It doesn’t even include and launch a copy of the Discord app, which it could do easily as a subterfuge to make the app look legit. For that matter, it doesn’t even use a convincing icon,” said a researcher.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased