We learned recently that macOS malware grew by 744% last year, though most of it fell into the less-worrying category of adware. However, a newly-discovered piece of malware (via Reddit) falls into the ‘seriously nasty’ category – able to spy on all your Internet usage, including use of secure websites.
Security researchers at CheckPoint found something they’ve labelled OSX/Dok, which manages to go undetected by Gatekeeper and stops users doing anything on their Mac until they accept a fake OS X update …
OSX/Dok does rely on a phishing attack as its initial way in. Victims are sent an email claiming to be from a tax office regarding their income tax return, asking them to open an attached zip file for details. This should, of course, immediately ring alarm-bells: no-one should ever open a zip file they aren’t expecting, even if it seems to be from a known contact.
But after that, the approach taken by the malware is extremely clever. It installs itself as a Login Item called AppStore, which means it automatically runs each time the machine is booted. It then waits for a while before presenting a fake macOS update window.
This means that literally everything you do on the Internet, even accessing secure servers using https connections, will pass through the attacker’s proxy. A bogus security certificate is also installed, allowing the attacker to impersonate any website without being flagged.
The malware then changes the victim system’s network settings such that all outgoing connections will pass through a proxy, which is dynamically obtained from a Proxy AutoConfiguration (PAC) file sitting in a malicious server.
The reason Gatekeeper doesn’t block the malware in the first place is that it has a valid developer’s certificate. This should make it easy for Apple to address, by revoking the certificate, but it of course set in motion again if the attackers can gain access to another certificate.
Check out our guide to protecting yourself from phishing attacks, and don’t necessarily believe what is shown in the browser URL bar.