UPDATED 22:47 EDT / APRIL 30 2017

INFRA

New Mac malware spies on encrypted traffic

A newly discovered form of malware that targets users of Apple Inc. Mac computers can intercept and gain complete access to all victim communication, including encrypted traffic.

Called OSX/Dok and first discovered by security firm Check Point Software Technologies Ltd., the malware is spread by an email phishing campaign that pretends to come from government tax collection agencies. Once a user clicks on an attachment, Dok copies itself to the /Users/Shared/ folder and then adds itself to “loginItem” to make itself persistent, allowing it to run automatically every time the system reboots.

After spreading itself, the malware creates a window on top of other windows that displays a pretend system-generated message that claims that a security issue has been identified and that an update is available. Victims are then prompted to enter their password to install the update, giving the malware administrative privileges and allowing it to change the system’s network setting. That allows the malware to re-route all outgoing connections through a proxy, the point where it can intercept all traffic.

It doesn’t stop at hijacking traffic, however. The malware also is using its newly gained administrative privileges to installe a package manager for OSX/ MacOS which can in turn install additional malicious tools.

That may sound like a typical malware attack, but that’s where the similarities end. Check Point claimed that Dok is signed with a valid developer certificate authenticated by Apple, meaning that it isn’t detected by antivirus software. In addition, Check Point claims that the Dok is the first major-scale malware to target OSX users via a coordinated email phishing campaign.

Although the fact that it could exploit a valid Apple developer certificate to begin with is disturbing, there is some good news. Apple told Forbes that as soon as it was made aware of OSX/Dok, the developer certificate was revoked and Xprotect has been updated to combat the threat.

Putting aside the obvious lesson that Mac users should be just as aware of the dangers of malware as those who run Windows, the attack vector is once again a reminder to all that they should never click on attachments from unknown sources.

Image: iphonedigital/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU