A newly discovered Mac malware finds victims via phishing

Apr 28, 2017 20:49 GMT  ·  By

A new Mac malware was discovered in the wild, which doesn't happen all too often. Dok, as it was dubbed, might very well be the first major scale malware directed at Mac owners through a coordinated email phishing campaign. 

The discovery was made by security researchers from Check Point who say that the malware affects all OSX versions and is virtually undetectable on VirusTotal. What makes matters worse is that the malware is signed with a valid developer certificate authenticated by Apple.

Once the infection is complete, the attackers manage to gain complete access to all victim communications, including those encrypted by SSL.

The security researchers discovered that the malware mostly targets European users, and the phishing technique used is quite elaborate. For instance, one German user was sent a message regarding a supposed inconsistency in their tax returns.

What does it do?

The malware is contained in a .zip archive named Dokument.zip signed just a week ago by a Seven Muller. Once executed, the malware copies itself to the /Users/Shared/folder and begins to execute itself from the new location. A pop-up appears claiming the package is damaged and cannot actually execute.

In reality, if there's a loginItem named "AppStore," the malware deletes it and adds itself as such instead.

"The malicious application will then create a window on top of all other windows. This new window contains a message, claiming a security issue has been identified in the operating system that an update is available, and that to proceed with the update, the user has to enter a password as shown in the picture below. The malware checks the system localization, and supports messages in both German and English," Check Point writes.

The victim can't access any windows or use the computer until they enter the password and the malware finishes installation. Once that happens, the malware gets admin privileges which it uses to install brew, a package manager for Macs. It then installs TOR and SOCAT.

"The malware then changes the victim system’s network settings such that all outgoing connections will pass through a proxy, which is dynamically obtained from a Proxy AutoConfiguration (PAC) file sitting in a malicious server," researchers note.

A new root certificate is then installed on the infected device, which allows the cybercriminal to intercept the victim's traffic. It can impersonate any website without the victim's knowledge.