CheckPoint, a security research team has uncovered new malware for macOS. It allegedly interferes with all versions of the macOS operating system and is signed by a valid Apple developer certificate. Malware was named ” OSX/Dok ” and spread through phishing e-mail campaigns.
The said campaign should be, according to researchers focused specifically on MacOS users, and therefore, the first of this kind. Malware works on the principle of gaining administrator privileges in order to install a new root certificate into the user’s system. This enables the malware to gain access to all communication between Mac and the Internet, including data that is encrypted using SSL.
E-mail pretending to inform the recipient of irregularities in the tax return and requesting them to download the zipped file in the attachment. The bad news is that the pre-installed Gatekeeper on Mac does not recognize the program as a threat due to its valid developer’s certificate. After that the malware is copied to the / Users / Shared / folder where it creates a login entry, making it permanently present even in the rebooted system.
Later, OSX/Dok will “warn” user that an update is available for the system, which conveniently requires your password. During the attack, the malware will gain complete control over the administrator privileges and adjust the network settings to redirect all outbound connections through the proxy server. At the same time, additional tools will be installed to allow attacking all traffic.
According to CheckPoint, it is only necessary to update the antivirus programs for the Mac to be able to detect the OSX/Dok malware. Also, Apple should revoke a developer certificate associated with malware developers as soon as possible.