A new stealth Mac malware dubbed Dok has been uncovered by security researchers. The malware uses Tor to evade detection and a rogue Apple certificate to intercept encrypted browser traffic. The researchers say the malware has been targeting users in Europe.
Check Point researchers said Dok "is the first major scale malware to target OSX users via a coordinated email phishing campaign". The malware affects all OSX versions and at the time of discovery, had 0 detections on Virus Total, the popular online malware tracking platform, indicating that it functioned in stealth mode. The researchers said the Dok malware used a rogue but "valid" Apple developer certification to intercept encrypted web traffic.
"The malware mostly targets European users. For instance, one phishing message was observed to target a user in Germany by baiting the user with a message regarding supposed inconsistencies in their tax returns," Check Point malware researcher Ofer Caspi wrote in a blog.
The spam emails come with a malicious document named Dokument.zip, which unzips to an app named Truesteer.AppStore. Upon execution, the app is capable of copying itself to another location on the victim's computer, deleting the original file and displaying a pop-up error message informing the user that the document couldn't be opened.
The malware then deletes the AppStore application on the victim's computer and instead adds a new login item, which according to Check Point researchers "will persist in the system and execute automatically every time the system reboots, until it finishes to install its payload".
The malware then tricks the victim to enter his/her password by creating a new window that urges the victim to install a security update. "The victim is barred from accessing any windows or using their machine in any way until they relent, enter the password and allow the malware to finish installing. Once they do, the malware gains administrator privileges on the victim's machine," Caspi added.
Dok uses MITM (Man in the Middle) attacks to install a new root certificate on the infected system, which in turn allows hackers to intercept all of the victim's web traffic. "By abusing the victim's new-found trust in this bogus certificate, the attacker can impersonate any website, and the victim will be none the wiser," Caspi said.
However, the Dok malware may no longer be a valid threat. An Apple spokesperson told Forbes that the rogue developer certificate has since been revoked. Apple has also updated Xprotect to combat the malware.
Moral of the story: It is important to be wary of any software that requests root password. Another key aspect to be aware of is spam emails. Hackers are increasingly using spam emails to launch large-scale cyberattack campaigns. To know how to spot a fake spam email, read more by clicking here.