A newly discovered form of malware that targets users of Apple Inc. Mac computers can intercept and gain complete access to all victim communication, including encrypted traffic.

Called OSX/Dok and first discovered by security firm Check Point Software Technologies Ltd., the malware is spread by an email phishing campaign that pretends to come from government tax collection agencies. Once a user clicks on an attachment, Dok copies itself to the /Users/Shared/ folder and then adds itself to “loginItem” to make itself persistent, allowing it to run automatically every time the system reboots.

After spreading itself, the malware creates a window on top of other windows that displays a pretend system-generated message that claims that a security issue has been identified and that an update is available. Victims are then prompted to enter their password to install the update, giving the malware administrative privileges and allowing it to change the system’s network setting. That allows the malware to re-route all outgoing connections through a proxy, the point where it can intercept all traffic.

It doesn’t stop at hijacking traffic, however. The malware also is using its newly gained administrative privileges to installe a package manager for OSX/ MacOS which can in turn install additional malicious tools.

That may sound like a typical malware attack, but that’s where the similarities end. Check Point claimed that Dok is signed with a valid developer certificate authenticated by Apple, meaning that it isn’t detected by antivirus software. In addition, Check Point claims that the Dok is the first major-scale malware to target OSX users via a coordinated email phishing campaign.

Although the fact that it could exploit a valid Apple developer certificate to begin with is disturbing, there is some good news. Apple told Forbes that as soon as it was made aware of OSX/Dok, the developer certificate was revoked and Xprotect has been updated to combat the threat.

Putting aside the obvious lesson that Mac users should be just as aware of the dangers of malware as those who run Windows, the attack vector is once again a reminder to all that they should never click on attachments from unknown sources.

Image: iphonedigital/Flickr