OSX.LamePyre

The OSX.LamePyre malware is a low-level threat, which is programmed to target Mac systems exclusively. The cybersecurity researchers who came across the OSX.LamePyre malware discovered that this threat is being distributed via a bogus copy of the popular instant messaging application Discord.

The Discord application has over 250 million users, which makes it a rather juicy target for cybercriminals. Users who end up downloading a bogus version of the popular application may allow the OSX.LamePyre malware to access their systems. On top of this, the fake copy of Discord would not even run as intended. The fact that the cyber crooks have not used a functioning copy of the Discord application may end up hindering their threatening campaign. This is because the users who try to install the application and notice that it is not running properly are likely to realize that something is not quite right. This may lead many users to the realization that there is malware present on their computers, which may help them remove the OSX.LamePyre from their Macs before it causes any significant damages.

When the OSX.LamePyre threat compromises a computer, it will run a script, which would allow it to take screenshots of the victim's desktop and active windows. The screenshots are then exfiltrated to the C&C (Command & Control) server of the threat's operators. The OSX.LamePyre malware uses some code from the infamous EmPyre backdoor. This enables the OSX.LamePyre threat to open a reverse shell on the infected Mac. This means that the operators of the OSX.LamePyre malware will be able to use the OSX terminal to execute remote commands.

To call OSX.LamePyre “simple” would be an understatement. The primary function of the virus appears to be taking screenshots and sending them to a control computer through a backdoor. The malware disguises itself as an app for gamers on Discord. Researchers noted that the disguise didn’t go much further than that. The fake Discord app doesn’t do much of anything and instead runs an Automator script.

A Simple Icon for a Simple Virus

When users run LamePyre, they will notice the generic Automator icon appears in the menu bar, which is typical for this sort of script.

The script decodes the payload for the virus, written in the Python programming language, and then runs it on the computer. The program takes screenshots of the system and sends them to an external command and control (C2) server operated by the attacker.

LamePyre script

Researchers noted that part of the Python code, shown above, was written to install the EmPyre backdoor on the affected system. This backdoor, which is available as an open-source program, has been included with other malware in the past. It was used as part of OSX.DarthMiner, a cryptocurrency mining malware.

On the surface, LamePyre seems too, well, lame, to be much of a real threat. Either the virus is a shoddy hack job, or it is only the first development stage in a more severe threat. The program doesn’t even have the functionality to look and act like a legitimate Discord program to confuse victims.

The program doesn’t appear to be some sort of maliciously modified version of the official Discord app. It doesn’t have a copy of the actual Discord app built-in, which could make it much better at hiding. Not even the icon for the app is very convincing.

About the only thing the virus does have going for it is a clever launch agent. LamePyre runs code that creates a launch agent called ‘com.apple.systemkeeper.plist,’ which is surprisingly deceptive for something so basic.

The basic nature of the program also means that users are unlikely to spot anything out of the ordinary. By the time users notice that something is wrong, LamePyre would have already opened a backdoor, connected to the C2 server, and started sending screenshots to an attacker.

According to malware analysts, the OSX.LamePyre threat may still be in development, as it does not appear to be a fully-functioning, finished project. Despite this, it is best to protect your Mac from threats like the OSX.LamePyre, with the help of a genuine anti-virus application compatible with your OSX.