We have reported in the past the emergence of malware samples for macOS that pose as legit apps, circumventing the digital signature that Apple uses in conjunction with its developers to attest to their protection against malware. Not surprisingly, therefore, that one more security company (this time the Check Point) has located a new threat, the first of its kind to be identified in a phishing distributed in mass.
Denominated "Dok", this new malware targets European users, being distributed in fraudulent messages sent by a Swiss revenue agency. According to Check Point, it affects all versions of OS X macOS, which is supposed to be a way of saying that the majority of the installed base is at risk and, once opened, disguises itself as a system update to fix computer problems. and thus deceive the Gatekeeper.
After requesting user authentication, the malware installs a root certificate on the infected machine, in addition to network instructions to redirect and read all secure communications made by the computer, via the Tor network. A login item is also added to the operating system, making its execution persist even after the machine is restarted.
While Mac antivirus manufacturers can update their signatures to recognize threats like this, Apple needs to think about controls for cases where attackers have access to valid certificates from its developer program. Initiatives like the rewards program, launched last year, are valid, but they are of little help in cases like this.
For us, users, the main guideline is to keep an eye on malicious emails or messages.
(via The Hacker News)