UPDATED 22:47 EDT / APRIL 30 2017

INFRA

New Mac malware spies on encrypted traffic

A newly discovered form of malware that targets users of Apple Inc. Mac computers can intercept and gain complete access to all victim communication, including encrypted traffic.

Called OSX/Dok and first discovered by security firm Check Point Software Technologies Ltd., the malware is spread by an email phishing campaign that pretends to come from government tax collection agencies. Once a user clicks on an attachment, Dok copies itself to the /Users/Shared/ folder and then adds itself to “loginItem” to make itself persistent, allowing it to run automatically every time the system reboots.

After spreading itself, the malware creates a window on top of other windows that displays a pretend system-generated message that claims that a security issue has been identified and that an update is available. Victims are then prompted to enter their password to install the update, giving the malware administrative privileges and allowing it to change the system’s network setting. That allows the malware to re-route all outgoing connections through a proxy, the point where it can intercept all traffic.

It doesn’t stop at hijacking traffic, however. The malware also is using its newly gained administrative privileges to installe a package manager for OSX/ MacOS which can in turn install additional malicious tools.

That may sound like a typical malware attack, but that’s where the similarities end. Check Point claimed that Dok is signed with a valid developer certificate authenticated by Apple, meaning that it isn’t detected by antivirus software. In addition, Check Point claims that the Dok is the first major-scale malware to target OSX users via a coordinated email phishing campaign.

Although the fact that it could exploit a valid Apple developer certificate to begin with is disturbing, there is some good news. Apple told Forbes that as soon as it was made aware of OSX/Dok, the developer certificate was revoked and Xprotect has been updated to combat the threat.

Putting aside the obvious lesson that Mac users should be just as aware of the dangers of malware as those who run Windows, the attack vector is once again a reminder to all that they should never click on attachments from unknown sources.

Image: iphonedigital/Flickr

Since you’re here …

… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.

Cookies

We employ the use of cookies. Find out more.