Malware Uses Apple Developer Certificate to Infect MacOS and Spy on HTTPS Traffic

MacRumors

macrumors bot
Original poster
Apr 12, 2001
7,432
8,494



A malware research team has discovered a new piece of Mac malware that reportedly affects all versions of MacOS and is signed with a valid developer certificate authenticated by Apple (via The Hacker News).

The malware has been dubbed "DOK" and is being disseminated through an email phishing campaign which researchers at CheckPoint say is specifically targeting macOS users, making it the first of its kind.


The malware works by gaining administration privileges in order to install a new root certificate on the user's system. This enables it to gain access to all communications between the host Mac and the internet, including traffic flowing through connections encrypted with SSL.

The initial email pretends to be informing the recipient of inconsistencies in their tax return and asks them to download a zip file attachment to their Mac that harbors the malware. Apple's built-in Gatekeeper security feature reportedly fails to recognize it as a threat because of its valid developer certificate, and the malware copies itself to the /Users/Shared/ folder and creates a login item to make itself persistent, even in a rebooted system.

The malware later presents the user with a security message claiming an update is available for the system, for which a password input is required. Following the "update", the malware gains complete control of admin privileges, adjusts the network settings to divert all outgoing connections through a proxy, and installs additional tools that enable it to perform a man-in-the-middle attack on all traffic.


According to the researchers, Mac antivirus programs have yet to update their databases to detect the DOK malware, and advises that Apple revoke the developer certificate associated with the author immediately.

Back in January, researchers discovered a piece of Mac malware called Fruitfly that successfully spied on computers in medical research centers for years before being detected.

The latest discovery of malware, which appears to target predominantly European users, underlines the fact that Macs are not immune to the threat as is sometimes supposed. As always, users should avoid clicking links or downloading attachments in emails from unknown and untrusted sources.

Article Link: Malware Uses Apple Developer Certificate to Infect MacOS and Spy on HTTPS Traffic
 

BoneDaddy

Suspended
Jan 8, 2015
527
939
Texas
Simple:

Keep Mac backed up. If you're the one out of 100,000 to get a virus, reinstal from your backup.

A manufacturer defect is MUCH more likely to bite you in the ass.
 

macintoshmac

macrumors 68040
May 13, 2010
3,054
2,643
Can't infect anymore, my ***. :p

Anyway, as Apple gains popularity and mainstream use, this day was long time coming.. All we can do is be vigilant, that's it, and it is true for any OS, be it macOS or Windows or Linux.
 
  • Like
Reactions: Shirasaki and Morod

darkpaw

macrumors 6502
Sep 13, 2007
309
185
London, England
Looking at the screenshot in this story, the spelling mistakes are enough for me to not want to click any further.

I received that email earlier today, but it's to an email address that's not associated with the tax people, so I immediately deleted it.

To avoid all this, I have my own domain and use a separate email for each company/service I interact with, i.e. tesco@mydomain.com, amazon@mydomain.com etc. When I receive spam to a given address, say, tesco@... I change the email for that service to tesco2@... and bin all emails that go to the original. It's a little bit of admin, but it cuts spam down a lot.
 

adamjackson

macrumors 68000
Jul 9, 2008
1,640
2,387
couldn't you just remove that proxy connection via Network Preferences?

In addition, Apple will very soon be removing the signed developer certificate which will make this void, right?
 
  • Like
Reactions: eastmanweb

maflynn

Moderator
Staff member
May 3, 2009
63,849
30,363
Boston
The IRS isn't going to email you zip file about your taxes. If fact no one you don't know is going to email you a zip file that is real.
Never said they were, my point is that unlike years before, these people are now focusing on the mac platform. OS X is no longer immune to such tactics and attempts.
 

Marshall73

macrumors 68000
Apr 20, 2015
1,574
1,312
Yet again it comes down to PEBCAK. These are now rife across windows so its no surprise that Mac users and now also being hit. I had a windows user who received and email which looked like it was from one of their suppliers (although on further inspection the email was something @ aol.de) not only did she open the attachment, but she followed the weblink for a fake dropbox page and entered her office 365 account details. I just stared at her in disbelief, then laughed. (in my mind I whacked her round the head and buried her in their carpark).
 
Last edited:

Harnuld

macrumors newbie
Apr 28, 2017
8
0
So this is only threat if you download email attachment? If the update appears in AppShop, that is safe?

Will Malwarebytes detect this?
 
Last edited:

coolfactor

macrumors 601
Jul 29, 2002
4,286
3,825
Vancouver, BC
People that actually do this should not have admin rights on their machines.
Phishing emails are becoming VERY convincing these days. It used to be easy to distinguish a fake email because of typos, mis-used words, and links that point to country-specific domains. But now, they seem to be using actual emails and legitimate links, with only an attachment to open. So at first glance, the email looks real. I've been nearly tricked by the first one of these, but remained vigilant, and then I received a second, and a third, all in the course of a week, and all representing banks that I don't do business with. I know the attachment payload was dangerous with all of these, but the email body sure had me taking a second look!

People, don't EVER EVER EVER open an email attachment (usually .zip archives) if you don't recognize what you've just received. If that email is not from a friend, colleague, or business that you recognize, send that email straight to the Spam folder. If it is from someone you recognize, take a closer look first before clicking.

"Think before you click"
[doublepost=1493385937][/doublepost]
So this is only threat if you download email attachment? If the update appears in AppShop, that is safe?

Will Malwarebytes detect this?
What is AppShop? A third-party app distributor? Only apps signed by Apple are available through the official App Store.
 

Harnuld

macrumors newbie
Apr 28, 2017
8
0
Phishing emails are becoming VERY convincing these days. It used to be easy to distinguish a fake email because of typos, mis-used words, and links that point to country-specific domains. But now, they seem to be using actual emails and legitimate links, with only an attachment to open. So at first glance, the email looks real. I've been nearly tricked by the first one of these, but remained vigilant, and then I received a second, and a third, all in the course of a week, and all representing banks that I don't do business with. I know the attachment payload was dangerous with all of these, but the email body sure had me taking a second look!

People, don't EVER EVER EVER open an email attachment (usually .zip archives) if you don't recognize what you've just received. If that email is not from a friend, colleague, or business that you recognize, send that email straight to the Spam folder. If it is from someone you recognize, take a closer look first before clicking.

"Think before you click"
[doublepost=1493385937][/doublepost]

What is AppShop? A third-party app distributor? Only apps signed by Apple are available through the official App Store.
My mistake, I wanted to type App Store, but was thinking of needing to go to shop. :D

So such malware is unable to affect App Store? As long as I ignore all the emails that want to give me attachments, I can breath easy?
 

swm

macrumors regular
May 29, 2013
208
213
this is untrue. HTTPS traffic cannot be eavesdropped by configuring a proxy. the only thing you will see there is the certificate exchange which is done in cleartext, not the actual communication. HTTPS over proxy is done with the CONNECT directive, and the browser and the server build up the SSL or TLS tunnel, and the proxy is just providing transport for already encrypted communication.

what could be a way to somehow get access to communication content involves a MiTM approach, where the proxy replaces the certificate but this would instantly result an alert on the browser side. this alert is visual and block communication unless the user agrees to trust the invalid certificate.
 

justperry

macrumors G4
Aug 10, 2007
10,124
5,190
Home is everywhere and nowhere.
People, don't EVER EVER EVER open an email attachment (usually .zip archives) if you don't recognize what you've just received. If that email is not from a friend, colleague, or business that you recognize, send that email straight to the Spam folder. If it is from someone you recognize, take a closer look first before clicking.

"Think before you click"
[doublepost=1493385937][/doublepost]

What is AppShop? A third-party app distributor? Only apps signed by Apple are available through the official App Store.
Bold
Actually, on MacOS nothing happens when you open a Zip file (read unzip), it's just uncompressing the file, you can even open those files in a Hex Editor.
It's still not too bad if you open the file by clicking on it, as long as you don't give it Administer rights if it asks you to.
 

thisisnotmyname

macrumors 68000
Oct 22, 2014
1,959
4,231
known but velocity indeterminate
this is untrue. HTTPS traffic cannot be eavesdropped by configuring a proxy. the only thing you will see there is the certificate exchange which is done in cleartext, not the actual communication. HTTPS over proxy is done with the CONNECT directive, and the browser and the server build up the SSL or TLS tunnel, and the proxy is just providing transport for already encrypted communication.

what could be a way to somehow get access to communication content involves a MiTM approach, where the proxy replaces the certificate but this would instantly result an alert on the browser side. this alert is visual and block communication unless the user agrees to trust the invalid certificate.
but they also install their own root cert which would authenticate their own cert. MITM would work.
 

michaelb5000

macrumors regular
Sep 23, 2015
106
55
But the real harm is after entering the admin user and password, not downloading and opening the zip. There must be a way to boot in safe mode or with another drive and delete that start up item, or just close that process using activity monitor. They don't discuss that part. For example, I don't think my mom even knows her admin account or password, and so she would be calling me for help once she got that prompt; same for all of the other members in my family.

It doesn't really get scary until they find a way around having the admin enter the password.
 

jayducharme

macrumors 68040
Jun 22, 2006
3,340
2,835
The thick of it
Macs are not immune to the threat as is sometimes supposed.
This is still nothing like a typical Windows virus that you can get simply from visiting a website. You'd have to first be so ignorant as to believe that there's an OS X update for your taxes. Then you'd have to override the Mac's default safety settings to install an app from an unknown developer. If you don't know much about computers, hopefully you haven't changed the default app safety settings, and so you'd be okay. If you're more familiar with tech, hopefully you'd recognize this as a pretty obvious scam.
 

Harnuld

macrumors newbie
Apr 28, 2017
8
0
Fixed.:)

This is not about Apps, it's about using Updates for the System, in the article above for security reasons, you should not use anything else than the Tab- Updates in the Appstore.
So as long as update appears on that blue icon on my desktop, opening App Store window and asking there to insert App ID password, it´s legitimate? I have itunes or imovie update waiting for me for last week or so there.