Mac malware
This malware allows hackers to spy on all of the victims’ communications, even in the event that they are encrypted iStock

Apple users are under threat from a recently discovered Mac malware dubbed OSX Dok, which according to security researchers, has been customised to steal money from Mac users. The malware has now begun mirroring websites of major banks in an attempt to steal users' banking credentials.

The malware is being distributed through a combination of phishing and MITM (man in the middle) attacks, according to security experts. This attack method allows hackers to spy on all of the victims' communications, even in the event that they are encrypted. The malware is extremely difficult to detect and remove as it alters the OS (operating system) to disable Apple's security measures.

Check Point security researchers said they've noticed a recent surge in the malware's activities. The hackers operating the malware have been seen "purchasing dozens of Apple certificates to sign on the application bundle and bypass GateKeeper". The experts said they've notified Apple of the compromised certificates, which Apple continues to constantly revoke. "However new ones appear on a daily basis," Check Point said.

"They are aiming at the victim's banking credentials by mimicking major bank sites. The fake sites prompt the victim to install an application on their mobile devices, which could potentially lead to further infection and data leakage from the mobile platform as well," Check Point researchers added.

Malware targeting victims primarily in Europe

The malware, once installed on systems, downloads Tor to communicate with its dark web-based C&C (command and control) server. The malware geo-locates victims and customises attack according to the location of the victim. According to the Check Point researchers, OSX Dok is primarily targeting victims in Europe.

The malware poses as legitimate banking websites and tricks victims into entering their login credentials. Victims are also prompted to provide their mobile numbers for SMS authentication. In reality, however, the attackers use victims' phone numbers to trick them into downloading a malicious app, as well as the encrypted messaging app Signal. The researchers speculate that Signal is installed on victims' phones to allow the hackers to communicate with victims to commit further fraudulent activities.

"Whatever the goal may be, Signal will possibly make it harder for law enforcement to trace the attacker," the Check Point researchers said. "Alternatively, the perpetrator might be using Signal temporarily, to acquire install rate statistics and prove the method is working, while planning to install a malicious mobile application with future victims at a later time."

The researchers also noted that OSX Dok shares several similarities to the Retefe banking Trojan, which targeted Windows systems. This led researchers to conclude that the Mac malware is a version of Retefe.

"Unfortunately, the OSX/Dok malware is still on the loose and its owners continue to invest more and more in its obfuscation by using legitimate Apple certificates," the Check Point researchers said. "The fact that the OSX/Dok is ported from Windows may point to a tendency. We believe more Windows malware will be ported to macOS, either due to the lower number of quality security products for macOS compared to the ones for Windows, or the rising popularity of Apple computers."