For as long as I can remember one of the key points in arguments for Apple Mac systems was the security aspect of them. The systems boasted systems that didn’t get infected with malware and attacks and limited any such activities with rigorous app signatures for everything a user might want on their Mac computer. This is the latest malware attack on the Apple Mac and this is what you need to know.
The current malware threat has the ability to slip past verification processes using its own legitimate app signature. It also opens channels to eavesdrop its users and see what they are doing at any given time regardless of HTTPS protocols. This means that OSX/DOK is one fly, phishing application. Researchers at Checkpoint observed the Trojan campaign hitting users all over Europe. Labeling it as the first of its kind. When Apple was contacted with the relevant details they revoked the developer certificate in an attempt to halt the attacks.
How it works.
The OSX/DOK Trojan application gains access to the victim’s computer and then gives the user a pop-up message stating that there is an important OSX update pending. In this message the user is presented with a form asking for authorization to continue with the update, where the user is requested to enter their administrator password. The malware then takes the escalated admin privileges to infect the system without getting stuck on any of the password blocks it might have encountered.
After it finishes its first mission of gaining the skeleton key to the system it then shifts to its true purpose. It starts by configuring the required protocols to route web traffic through a malicious proxy server that is located on the dark web. This process uses onion routing to split up the traffic into multiple streams, which in turn gives it some camouflage. Why does your system not throw you the usual warning messages? Well, when the malware sets up the connection to the proxy server it installs its own root certificate on the machine, causing the machine to believe that the traffic is legitimate.
After it has completed all the steps required it can effectively start with its man-in-the-middle attacks. Essentially these attacks acts like the server that was initially intended to be accessed and then has the ability to track and gather all of the user information while browsing. Further making this malware unique is its ability to self destruct on remote request from the hidden entity. After the command has been received it then promptly removes itself from the system.
The kind people over at Checkpoint prescribes a dose of awareness when being prompted for any urgent “updates” to your system and asks you, to think twice before just typing in your user credentials at will. Especially, if it doesn’t look like anything you have seen on your system before. With Apple taking quick steps in revoking the certificate, I also don’t see this threat lasting much longer, but it is always advisable to stay prepared when it comes to your system.
Featured image: original
Written by: NinjaClicks