Often thought of as impenetrable, macOS is falling prey to a sneaky malware that’s stealing bank credentials, bypassing Gatekeeper, and disabling attempts to remove it.
macOS users aren’t as safe as they think they might be—there’s a new strain of malware going around that infects devices, fakes bank websites, and steals credentials. It’s a dangerous strain of the OSX/Dok malware and it goes deep into macOS’s configuration to prevent its removal.
OSX/Dok cases found in the wild have surged in the past few weeks according to Check Point Software Technology’s malware team, who say it’s only likely to become more of a threat due to the aggressive Apple certificate buying activities of the malware’s creators.
Apple’s computers are generally considered more secure than their Windows competitors, but this malware is proving that no one is exempt from the security concerns of the modern age.
OSX/Dok: What it does
OSX/Dok was initially discovered in May 2017. Back then it was only known to be spying on web traffic and stealing website credentials, but this newly discovered mutation is actively redirecting traffic to a command and control (C&C) server that spoofs bank login pages in the attempt to harvest user information.
When a computer gets infected, OSX/Dok goes to work disabling security updates and redirecting traffic to Apple servers (and others like Virustotal.com, the only known antivirus platform that detects it) back to the local machine. In this way the malware hides itself and prevents updates that can remove it or stop its operation.
After embedding itself, OSX/Dok downloads TOR and establishes a connection through the dark web to its C&C server, which it accesses using Onion routing. The malware also uses TOR to trace the physical location of the IP address of the infected computer in order to customize its attack. An infected machine from Switzerland, for example, had a proxy setup that redirected common Swiss bank websites to a local proxy and then through to the C&C server.
The C&C server contains a variety of spoof banking websites that try to trick the user into signing in, as well as downloading a mobile app and providing their smartphone number. It also prompts the user to install a legitimate secure messaging app called Signal, though no one knows what its purpose is yet.
OSX/Dok is also able to bypass Apple’s GateKeeper, which is designed to stop installations from apps that don’t have a legitimate Apple developer certificate. The malware’s developers are doing this by buying huge quantities of certificates and attaching them to the malware. Apple is cancelling them as fast as it discovers which ones have been compromised, but Check Point says it’s discovering new ones on a daily basis.
The one bright spot in the OSX/Dok outbreak
There isn’t much good to say about this rather sophisticated malware except for one thing: It’s spreading through phishing emails and requires the user to download and run an executable to install it. As long as users aren’t falling for the phish there’s nothing to worry about.
It falls to IT professionals to make users aware of threats like OSX/Dok, which lacks the ability to spread when a user isn’t tricked into installing it. Once the infection gets hold of a computer it’s a completely different, and much trickier, problem.
Apple may be continuing to revoke certificates compromised by OSX/Dok, but it has yet to issue a security upgrade that will prevent it from bypassing Gatekeeper.
Be sure you’re keeping all the macOS machines on your network up to date and keeping an eye on ones that aren’t able to do so—those machines may already be infected.
Top three takeaways:
- A new, more dangerous form for of OSX/Dok is infecting macOS machines. Its objective is stealing banking account credentials.
- The malware is able to bypass macOS Gatekeeper by using stolen developer certificates. Apple is revoking certificates as soon as it is made aware of their theft, but more are being discovered every day.
- Machines are being infected through a phishing campaign that prompts users to download a zip file that contains an infected executable. IT professionals should inform their users of the OSX/Dok outbreak and ensure that they aren’t opening suspect messages.