New malware able to spy on OSX users’ Internet traffic is targeting European users.
Apple’s Gatekeeper did not stop the malware and when discovered anti-malware signature engines did not detect it.
Called “Dok” (OSX/Dok) by Check Point, the malware combines phishing techniques and a valid developer certificate to effect a man-in-the-middle (MitM) attack capable of eavesdropping on the victim’s Internet traffic, researchers said in a blog post.
The attack starts with a phishing email. In the example given by Check Point, a sample sent to a user in Germany ended up baited with supposed inconsistencies in the user’s tax returns. The email included an attachment, Dokument.zip, containing the malware bundle signed on April 21, 2017 by Seven Muller and called Truesteer.AppStore.
If activated, the malware copies itself to the /Users/Shared folder and executes. A pop-up message tells the user the expected bundle ended up damaged and could not be opened; but the malware itself replaces any loginitem named ‘AppStore’ in order to gain persistence.
Further social engineering is then used to obtain the user’s password in order to complete the malware installation. It uses localization to pop-up a window in either English or German. The window overlays all other windows and claims a security issue has been identified.
The user is asked to enter his or her password in order to obtain the necessary updates. This window persists, and the user is unable to do anything but comply. Even if the computer is restarted, the window will reappear. However, once the he or she enters the password, the malware obtains administrator privileges and installs the Homebrew command-line installation system. This is then used to download and install a Tor client and SOCAT.
OSX/Dok then uses its user-granted privileges to suppress further password prompts. It proceeds to install a new root certificate and alter the system’s network settings, redirecting traffic through a server hidden in Tor. This allows the hacker to intercept and read all outgoing traffic, even when legitimately encrypted with SSL. Because the server is in Tor, the hacker remains anonymous.
The potential is serious. For consumers, login details for any accessed online service can be seen and stolen — including bank details.
Apple revoked the developer certificate April 28. Installation of this version should now be stopped by Gatekeeper. It has also pushed out silent updates that protect OSX users against two variants of the malware, OSX.Dok.A and OSX.Dok.B, and also against a new version of the intrusive adware known as OSX.Genieo.F.