MacOS Malware on Rise
macOS users aren’t as safe as they think they might be—there’s a new strain of malware going around that infects devices, fakes bank websites, and steals credentials. It’s a dangerous strain of the OSX/Dok malware and it goes deep into macOS’s configuration to prevent its removal.
OSX/Dok cases found in the wild have surged in the past few weeks according to Check Point Software Technology’s malware team, who say it’s only likely to become more of a threat due to the aggressive Apple certificate buying activities of the malware’s creators.
OSX/Dok was initially discovered in May 2017. Back then it was only known to be spying on web traffic and stealing website credentials, but this newly discovered mutation is actively redirecting traffic to a command and control (C&C) server that spoofs bank login pages in the attempt to harvest user information.
When a computer gets infected, OSX/Dok goes to work disabling security updates and redirecting traffic to Apple servers (and others like Virustotal.com, the only known antivirus platform that detects it) back to the local machine. In this way the malware hides itself and prevents updates that can remove it or stop its operation.
After embedding itself, OSX/Dok downloads TOR and establishes a connection through the dark web to its C&C server, which it accesses using Onion routing. The malware also uses TOR to trace the physical location of the IP address of the infected computer in order to customize its attack. An infected machine from Switzerland, for example, had a proxy setup that redirected common Swiss bank websites to a local proxy and then through to the C&C server.
The C&C server contains a variety of spoof banking websites that try to trick the user into signing in, as well as downloading a mobile app and providing their smartphone number. It also prompts the user to install a legitimate secure messaging app called Signal, though no one knows what its purpose is yet.
There isn’t much good to say about this rather sophisticated malware except for one thing: It’s spreading through phishing emails and requires the user to download and run an executable to install it. As long as users aren’t falling for the phish there’s nothing to worry about.
Source | Tech Republic