Mac Malware: OSX/Dok Bypasses Apple Security, Steals Internet Activity
A newly discovered malware targeted at MacOS devices is capable of intercepting all internet activity on an infected device, including usage on secure sites.
This new malware, dubbed OSX/Dok, was first identified by security firm Check Point. It is capable of affecting all versions of MacOS and has yet to be identified by Mac virus protection software.
Read: Mac Malware: McAfee Reports Huge Increase In Malware On MacOS
OSX/Dok has been able to bypass most Mac protection—including Apple’s own Gatekeeper, a tool that check the validity of every app installed on a device—because it is signed with a valid developer certificate authenticated by Apple.
The particularly nasty malware is being spread through a targeted phishing campaign which has so far primarily targeted European users. Many of the emails containing the malicious software have baited users into downloading OSX/Dok by claiming there was an inconsistency in their tax filing. A .zip file attached to the email contains the malware.
Once a user had downloaded and opened the file, OSX/Dok gets to work installing itself on the machine. It generates a fake pop-up message stating the supposed tax file cannot be opened, then creates a login item for itself with the innocuous name “AppStore.” This allows OSX/Dok to launch immediately when the computer boots up.
Next, the malware produces another fake pop-up, this time telling the user a security issue has been identified and an update to MacOS is available to download. The supposed update requires users to enter their system password to allow the install. If the user enters their password, OSX/Dok can gain administrative privileges on the machine.
Read: Remove Mac Ransomware: How To Tell If You're Infected By KeRanger And Recovery Steps
With its newfound administrative access, OSX/Dok begins performing its most malicious act yet: hijacking a user’s internet activity. It accomplishes this by effectively executing a man-in-the-middle attack, directing the user’s activity through a proxy that allows the attacker to see every bit of sent and received data.
The malware even installs a false security certificate, which allows it to impersonate any website—including HTTPS sites that should be secure and offer an encrypted connection between the user and the site.
The fact that OSX/Dok operates with a valid developer certificate makes the attack a particularly difficult one to stop once it gets started. Luckily, it also means it should be easy for Apple to shut it down once it identifies the certificate, which was likely stolen in the first place. Once Apple invalidates it, Gatekeeper should keep the malware from ever being installed on a machine.
The existence of OSX/Dok shows the evolution of Mac malware in recent years. While the number of malicious attacks targeting Macs is still a miniscule fraction of those designed to infect Windows machines, there has been more focus on hitting MacOS than ever before.
Earlier this year, security firm McAfee reported MacOS malware increased by 744 percent over the course of 2016, with a total of 460,000 instances of MacOS-targeted malware detected in the wild.
© Copyright IBTimes 2024. All rights reserved.