Malware Targets Mac Users Through Well-Played Phishing Attack
Maybe you thought sitting behind a Mac gives you special protection when it comes to getting hacked. Thanks to a a new report from Check Point, you can kiss that theory goodbye. The cyber security company just uncovered the latest strain of malware — OSX/Dok — infecting all versions of macOS (previously Mac OS X).
The malware currently has zero detections on VirusTotal and is the first major-scale malware attack to target macOS users via a large email phishing campaign.
Check Point found a phishing message targeting a user in Germany. The email baited the user by stating that he was an official tax office and had found inconsistencies in their tax returns. The email attached a document of questions about the tax return, which the victim had to download and open.
The ZIP file that is downloaded and opened triggers the malware to install, which Gatekeeper, Apple's security system on Mac computers, doesn't even notice because the malware is signed with a valid developer certificate signed by Apple.
The malware copies itself to /Users/Shared/ folder, then triggers four shell commands to give all users execute permission for the malicious application, delete the malicious application in the Downloads folder, and then run it from the new location. A popup will then say that the ZIP file could not be opened, and after the victim hits "OK," the malware is made a loginItem so that it can persist through reboots to make sure it can install the full payload.
Then a security issue message will take over the screen claiming a threat has been identified and that an update is needed. The victim is then barred from their computer and has no choice but to press "Update All" and enter their root password to let the malware finish installing.
Once the targeted macOS is infected, and the malware has given itself admin privileges, it installs Tor and socat (a command-line tool), then changes the system's network settings to redirect outgoing connections to a malicious proxy server. Next, it installs a new root certificate with lets the hacker intercept all HTTPS traffic through a man in the middle attack.
By abusing the victim's new-found trust in this bogus certificate, the attacker can impersonate any website, and the victim will be none the wiser.
The attacker reads through the victim's traffic like it's the Sunday morning paper — and can tamper with it in the many ways that he or she pleases. After the attacker gets what they needed, the malware deletes itself like nothing ever happened.
This isn't an odd occurrence in an Apple user's life, either. No. Not anymore. In fact, malware attacks on Macs have gone up 744% in the last year according to the latest threat report by McAfee Labs.
Currently, Mac users hold only a 6.26% share of the market compared to Windows PC users who hold 91.58% market share. Hackers will almost always choose Windows, the one holding the larger share of the market, when broadcasting a broad net. Windows is more convenient to hack, and there's more sensitive data to grab; Even if the same percentage of victims get duped into installing malware, the return is higher when targeting Windows.
The thing is, many Mac users believe that their systems are immune to hacking because they run on a more secure Unix environment. Hacking a Mac can be pretty difficult due to many things, including the aforementioned Gatekeeper, which blocks any software without a digitally signed approval from Apple from running on your Mac without your permission. But many Mac users just aren't expecting to get duped into installing malware because they think their machines are invincible by default, which makes Mac users enticing targets.
In either case, if they wanted even higher results, they could have implemented a spear-phishing campaign instead, which targets individuals or groups of individuals more personally, which usually gets a higher percentage response.
If you are interested in testing a hack like this out yourself — to hone your Mac hacking skills and learn how to protect against it from a security perspective — check out Check Point's blog for all the details of how this malware attack works. As of this writing, OSX/Dok has yet to show up on any antivirus software. Apple could resolve the issue by revoking the developer certificate being used by the attacker, but that doesn't mean that a new one couldn't be created.
If you're not a hacker, well, then we recommend being extremely careful not to click on links that sound a bit phishy, or downloading anything that you're not familiar with. It's pretty much common sense these days on the internet — especially in emails. As Check Point warns, "beware of Trojans bearing gifts, especially if they ask for your root password."
Null Byte asked Check Point how they came across the OSX/Dok phishing attack; The security company didn't give us any details, but did let us know that they are always watching:
Our R&D department is always working hard around the clock to discover new malware and vulnerabilities. This discovery was the product of their research.