14 DAY TRIAL // Security experts have discovered new malware that is specifically aimed at Apple customers, after previously targeting users running Windows and Android on their devices.
Believed to be part of Operation Emmental, which was first spotted in 2012, the new malware is called Dok and is primarily targeting customers of Swiss banks, according to an in-depth analysis made by security firm Trend Micro.
In essence a Mac version of Windows banking Trojan Retefe and WERDLOD, the new Dok malware tries to infect Apple devices via a phishing email that includes several files with ZIP and DOCX extensions.
“The email also comes with two files attached claiming to contain questions for the user: one is a .zip file, which is a fake OSX app, while the other is a .docx file used to target Windows operating systems using WERDLOD. Both of these samples work as Banking Trojans and provide similar functionalities,” Trend Micro explains.
Fake online banking login page
Once the compromised files are clicked, the malware removes the App Store from the system and triggers a fake OS X update screen, asking for the administrator password to continue. Once these credentials are provided, the malware starts downloading other apps and deploy fake certificates that prepare a Man-in-the-Middle attack.
The malware automatically kills the browsers to install the certificates and then, whenever users attempt to connect to Swiss bank websites, a fake page is displayed to steal the credentials. Domains triggering the fake online banking login page are listed in a hardcoded list, and traffic is hijacked only if the infected computer uses an external IP based in Switzerland, Trend Micro says.
“We analyzed the webpage and found attackers injecting a script into the webpage. Once the user enters an account and password, it will initiate POST using AJAX. The POST message is sent to the same site as the fake login page—which an attacker can control inside the TOR network,” the research notes.
In order to remain protected, Mac users are recommended to avoid opening emails and downloading files coming from untrusted sources, but also to run up-to-date security software that could detect and block infected attachments spreading via email.