Years ago, many believed Apple’s OSX was immune to viruses or malware. However in 2014 and 2015, this notion changed even though Mac specific infections existed since the early 2000s. But between 2014 and 2015, reported infections more than doubled. But because of timely security updates, among other factors, MacOS or OSX still remained more secure than some alternative operating systems. The times changed as market saturation occurred. For instance, researchers at Check Point recently discovered a new strain of malware that targeted all versions OSX.
Known as OSX/Dok, the malware is currently one of a kind. As of the Check Point announcement, VirusTotal is unaware of the malware—it shows zero detections. Furthermore, the malware uses an active, valid developer certificate, “and is the first major scale malware to target OSX users via a coordinated email phishing campaign.”
According to a 2015 report from Bit9 and Carbon Black, Apple machines running OSX were vulnerable to a backdoor trojan called Lamadai thanks to a Java exploit; a government computer trojan called Appetite; and a Bitcoin targeting piece of malware called Coin Thief.
Check Point’s most recent discovery targets a user’s internet traffic. But OSX/Dok is an especially malicious traffic targeting tool; a victim’s internet traffic, including SSL encrypted traffic, runs through a proxy server owned by the malware’s operator.
OSX/Dok targets European users, for the most part. As of now, the main source of the malware is from phishing emails. Check Point provided an example where a German user received an email regarding inconsistencies in tax returns. The email contains a .zip file that contains the malware itself. Then, if the victim executes the file, he malware copies itself to a folder and then runs shell commands.
It then claims that the package is damaged via a pop-up window. After the malware’s “true installation” completes, a non-closeable window surfaces. The victim must enter his or her password into a fake security update prompt. From here on out, the attacker is effectively done with the actual infection process. The OSX admin credentials allow the malware to install brew—which it does. Through brew, the malware installs Tor and SOCAT.
It then downloads a Proxy Autoconfiguration file and forces all internet traffic through said proxy. A malicious root certificate installs on the machine that allows interception of all internet traffic.
Check Point researchers explained the outcome of the described installation process:
“As a result of all of the above actions, when attempting to surf the web, the user’s web browser will first ask the attacker web page on TOR for proxy settings. The user traffic is then redirected through a proxy controlled by the attacker, who carries out a Man-In-the-Middle attack and impersonates the various sites the user attempts to surf. The attacker is free to read the victim’s traffic and tamper with it in any way they please.”
When the task is complete, the malware removes itself from the victim’s machine.