Apple Macs Are No Longer Immune To Hacks..

Sunday, May 07, 2017 Unknown 0 Comments Category :

(CREDIT: David Paul Morris/Bloomberg)
Look sharp, Mac users. There's another emerging threat headed your way, and it's capable of eavesdropping on all of your web browsing... Even if you browse sites using an HTTPS connection and the lock icon in your browser's address bar is green.

 Researchers at Checkpoint have observed a new phishing campaign that's currently targeting Mac users across Europe. They say it's the first campaign of its kind and note that the Trojan is signed with a valid Apple developer certificate, just like a legitimate app would be. I've reached out to Apple for a comment on this and will update this post with their response. Update: an Apple spokesperson informed me that the developer certificate has been revoked and Xprotect updated to help combat this threat.

 Like much of today's malware, social engineering is the key to this new Mac threat. OSX/Dok needs an admin password to successfully compromise a system. It phishes for credentials by displaying full-screen alerts that claim there's an urgent OS X update waiting to be installed.
A malicious OSX/Dok pop-up, courtesy Checkpoint
Once it has the keys to the castle, OSX/Dok makes the changes it needs to spy on a victim's web browsing. First it gives administrator privileges to whoever's currently logged in. That allows additional password prompts to be bypassed and keeps the rest of the infection process quiet.

Next, OSX/Dok configures all traffic to route through a malicious proxy server on the Dark Web. Then it installs its own root certificate on the machine. That allows OSX/Dok to carry out man-in-the-middle attacks on its victims. The malware can intercept any web traffic it wants by pretending to be the websites a user is trying to access.

Web browsers will normally alert users when there's something amiss on a connection that's supposed to be secure. In this case, however, everything appears normal because of the root certificate OSX/Dok drops.
To keep communications with its controllers stealthy, data is transmitted over the Tor network. When the malware's criminal controllers decide that a system has served its purpose, they can trigger self-destruct functionality in OSX/Dok that tells it to remove itself from the infected Mac.
Checkpoint says that a health dose of skepticism is the best way to protect yourself against OSX/Dok. Think twice before typing your admin password in when an app asks for it -- especially if it's an "update" prompt that doesn't look like the ones you're used to seeing on your Mac.

RELATED POSTS

0 comments