Malware Uses Apple Developer Certificate to Infect MacOS and Spy on HTTPS Traffic

[MacRumors]

A malware research team has discovered a new piece of Mac malware that reportedly affects all versions of MacOS and is signed with a valid developer certificate authenticated by Apple (via The Hacker News).

The malware has been dubbed "DOK" and is being disseminated through an email phishing campaign which researchers at CheckPoint say is specifically targeting macOS users, making it the first of its kind.

The malware works by gaining administration privileges in order to install a new root certificate on the user's system. This enables it to gain access to all communications between the host Mac and the internet, including traffic flowing through connections encrypted with SSL.

The initial email pretends to be informing the recipient of inconsistencies in their tax return and asks them to download a zip file attachment to their Mac that harbors the malware. Apple's built-in Gatekeeper security feature reportedly fails to recognize it as a threat because of its valid developer certificate, and the malware copies itself to the /Users/Shared/ folder and creates a login item to make itself persistent, even in a rebooted system.

The malware later presents the user with a security message claiming an update is available for the system, for which a password input is required. Following the "update", the malware gains complete control of admin privileges, adjusts the network settings to divert all outgoing connections through a proxy, and installs additional tools that enable it to perform a man-in-the-middle attack on all traffic.

According to the researchers, Mac antivirus programs have yet to update their databases to detect the DOK malware, and advises that Apple revoke the developer certificate associated with the author immediately.

Back in January, researchers discovered a piece of Mac malware called Fruitfly that successfully spied on computers in medical research centers for years before being detected.

The latest discovery of malware, which appears to target predominantly European users, underlines the fact that Macs are not immune to the threat as is sometimes supposed. As always, users should avoid clicking links or downloading attachments in emails from unknown and untrusted sources.

Article Link: Malware Uses Apple Developer Certificate to Infect MacOS and Spy on HTTPS Traffic

 

[netwalker]

The initial email pretends to be informing the recipient of inconsistencies in their tax return and asks them to download a zip file attachment to their Mac that harbors the malware.

People that actually do this should not have admin rights on their machines.

 

[maflynn]

Wow, more and more reports of malware occurring - need to be even more vigilant

underlines the fact that Macs are not immune to the threat as is sometimes supposed

The money quote right here, we as Mac users cannot blindly ignore the threat.

 

[justperry]

If People see "OS X Updates available" while on MacOs and still clicking Update All they should think first.

Not only that, always update through the AppStore and you won't get this.
.
.
.
.
.
.
.
Edited: Appsore=Appstore.

 

[spazzcat]

Wow, more and more reports of malware occurring - need to be even more vigilant


The money quote right here, we as Mac users cannot blindly ignore the threat.

The IRS isn't going to email you zip file about your taxes. If fact no one you don't know is going to email you a zip file that is real.

 

[RightMACatU]

Another screaming case for cyber education.

 

[BoneDaddy]

Simple:

Keep Mac backed up. If you're the one out of 100,000 to get a virus, reinstal from your backup.

A manufacturer defect is MUCH more likely to bite you in the ass.

 

[shareef777]

People that actually do this should not have admin rights on their machines.

Downloading ANY file in an email from someone you don't know is bad. If everyone knew that, then the internet would be a (slightly) safer place.

 

[macintoshmac]

Can't infect anymore, my ***.

Anyway, as Apple gains popularity and mainstream use, this day was long time coming.. All we can do is be vigilant, that's it, and it is true for any OS, be it macOS or Windows or Linux.

 

[newyorksole]

Sooo you're only affected if you click/open suspicious links? Ok I'm safe.

Can't believe people believe these IRS emails/scams...

 

[darkpaw]

Looking at the screenshot in this story, the spelling mistakes are enough for me to not want to click any further.

I received that email earlier today, but it's to an email address that's not associated with the tax people, so I immediately deleted it.

To avoid all this, I have my own domain and use a separate email for each company/service I interact with, i.e. tesco@mydomain.com, amazon@mydomain.com etc. When I receive spam to a given address, say, tesco@... I change the email for that service to tesco2@... and bin all emails that go to the original. It's a little bit of admin, but it cuts spam down a lot.

 

[adamjackson]

couldn't you just remove that proxy connection via Network Preferences?

In addition, Apple will very soon be removing the signed developer certificate which will make this void, right?

 

[maflynn]

The IRS isn't going to email you zip file about your taxes. If fact no one you don't know is going to email you a zip file that is real.

Never said they were, my point is that unlike years before, these people are now focusing on the mac platform. OS X is no longer immune to such tactics and attempts.

 

[Marshall73]

Yet again it comes down to PEBCAK. These are now rife across windows so its no surprise that Mac users and now also being hit. I had a windows user who received and email which looked like it was from one of their suppliers (although on further inspection the email was something @ aol.de) not only did she open the attachment, but she followed the weblink for a fake dropbox page and entered her office 365 account details. I just stared at her in disbelief, then laughed. (in my mind I whacked her round the head and buried her in their carpark).

 

[fhall1]

If People see "OS X Updates available" while on MacOs and still clicking Update All they should think first.

Not only that, always update through the AppSore and you won't get this.

"STORE" But easier said than done - not every app or utility people need to use are available on the MAS.

 

[Harnuld]

So this is only threat if you download email attachment? If the update appears in AppShop, that is safe?

Will Malwarebytes detect this?

 

[coolfactor]

People that actually do this should not have admin rights on their machines.

Phishing emails are becoming VERY convincing these days. It used to be easy to distinguish a fake email because of typos, mis-used words, and links that point to country-specific domains. But now, they seem to be using actual emails and legitimate links, with only an attachment to open. So at first glance, the email looks real. I've been nearly tricked by the first one of these, but remained vigilant, and then I received a second, and a third, all in the course of a week, and all representing banks that I don't do business with. I know the attachment payload was dangerous with all of these, but the email body sure had me taking a second look!

People, don't EVER EVER EVER open an email attachment (usually .zip archives) if you don't recognize what you've just received. If that email is not from a friend, colleague, or business that you recognize, send that email straight to the Spam folder. If it is from someone you recognize, take a closer look first before clicking.

"Think before you click"
[doublepost=1493385937][/doublepost]

So this is only threat if you download email attachment? If the update appears in AppShop, that is safe?

Will Malwarebytes detect this?

What is AppShop? A third-party app distributor? Only apps signed by Apple are available through the official App Store.

 

[Harnuld]

Phishing emails are becoming VERY convincing these days. It used to be easy to distinguish a fake email because of typos, mis-used words, and links that point to country-specific domains. But now, they seem to be using actual emails and legitimate links, with only an attachment to open. So at first glance, the email looks real. I've been nearly tricked by the first one of these, but remained vigilant, and then I received a second, and a third, all in the course of a week, and all representing banks that I don't do business with. I know the attachment payload was dangerous with all of these, but the email body sure had me taking a second look!

People, don't EVER EVER EVER open an email attachment (usually .zip archives) if you don't recognize what you've just received. If that email is not from a friend, colleague, or business that you recognize, send that email straight to the Spam folder. If it is from someone you recognize, take a closer look first before clicking.

"Think before you click"
[doublepost=1493385937][/doublepost]

What is AppShop? A third-party app distributor? Only apps signed by Apple are available through the official App Store.

My mistake, I wanted to type App Store, but was thinking of needing to go to shop.

So such malware is unable to affect App Store? As long as I ignore all the emails that want to give me attachments, I can breath easy?

 

[swm]

this is untrue. HTTPS traffic cannot be eavesdropped by configuring a proxy. the only thing you will see there is the certificate exchange which is done in cleartext, not the actual communication. HTTPS over proxy is done with the CONNECT directive, and the browser and the server build up the SSL or TLS tunnel, and the proxy is just providing transport for already encrypted communication.

what could be a way to somehow get access to communication content involves a MiTM approach, where the proxy replaces the certificate but this would instantly result an alert on the browser side. this alert is visual and block communication unless the user agrees to trust the invalid certificate.

 

[justperry]

People, don't EVER EVER EVER open an email attachment (usually .zip archives) if you don't recognize what you've just received. If that email is not from a friend, colleague, or business that you recognize, send that email straight to the Spam folder. If it is from someone you recognize, take a closer look first before clicking.

"Think before you click"
[doublepost=1493385937][/doublepost]

What is AppShop? A third-party app distributor? Only apps signed by Apple are available through the official App Store.

Bold
Actually, on MacOS nothing happens when you open a Zip file (read unzip), it's just uncompressing the file, you can even open those files in a Hex Editor.
It's still not too bad if you open the file by clicking on it, as long as you don't give it Administer rights if it asks you to.

 

[thisisnotmyname]

this is untrue. HTTPS traffic cannot be eavesdropped by configuring a proxy. the only thing you will see there is the certificate exchange which is done in cleartext, not the actual communication. HTTPS over proxy is done with the CONNECT directive, and the browser and the server build up the SSL or TLS tunnel, and the proxy is just providing transport for already encrypted communication.

what could be a way to somehow get access to communication content involves a MiTM approach, where the proxy replaces the certificate but this would instantly result an alert on the browser side. this alert is visual and block communication unless the user agrees to trust the invalid certificate.

but they also install their own root cert which would authenticate their own cert. MITM would work.

 

[justperry]

"STORE" But easier said than done - not every app or utility people need to use are available on the MAS.

Fixed.

This is not about Apps, it's about using Updates for the System, in the article above for security reasons, you should not use anything else than the Tab- Updates in the Appstore.

 

[michaelb5000]

But the real harm is after entering the admin user and password, not downloading and opening the zip. There must be a way to boot in safe mode or with another drive and delete that start up item, or just close that process using activity monitor. They don't discuss that part. For example, I don't think my mom even knows her admin account or password, and so she would be calling me for help once she got that prompt; same for all of the other members in my family.

It doesn't really get scary until they find a way around having the admin enter the password.

 

[jayducharme]

Macs are not immune to the threat as is sometimes supposed.

This is still nothing like a typical Windows virus that you can get simply from visiting a website. You'd have to first be so ignorant as to believe that there's an OS X update for your taxes. Then you'd have to override the Mac's default safety settings to install an app from an unknown developer. If you don't know much about computers, hopefully you haven't changed the default app safety settings, and so you'd be okay. If you're more familiar with tech, hopefully you'd recognize this as a pretty obvious scam.

 

[Harnuld]

Fixed.

This is not about Apps, it's about using Updates for the System, in the article above for security reasons, you should not use anything else than the Tab- Updates in the Appstore.

So as long as update appears on that blue icon on my desktop, opening App Store window and asking there to insert App ID password, it´s legitimate? I have itunes or imovie update waiting for me for last week or so there.