Mac mal­ware spies on en­crypted browser traf­fic

Re­searchers found a new mal­ware pro­gram for macOS that per­forms man-in-the-mid­dle at­tacks, writes Lu­cian Con­stantin

iPad&iPhone user - - CONTENTS -

Anew mal­ware pro­gram that tar­gets macOS users is ca­pa­ble of spy­ing on en­crypted browser traf­fic to steal sen­si­tive in­for­ma­tion. Dubbed OSX/Dok by re­searchers from Check Point Soft­ware Tech­nolo­gies, was dis­trib­uted via email phish­ing cam­paigns to users in Europe.

One of the rogue emails was crafted to look as if it was sent by a Swiss gov­ern­ment agency warn­ing re­cip­i­ents about ap­par­ent er­rors in their tax re­turns. The mal­ware was at­tached to the email as a file called Doku­ment.zip.

What makes OSX/Dok in­ter­est­ing is that it was dig­i­tally signed with a valid Ap­ple de­vel­oper cer­tifi­cate. These cer­tifi­cates are is­sued by Ap­ple to mem­bers of its de­vel­oper pro­gram and are needed to pub­lish ap­pli­ca­tions in the of­fi­cial Mac App Store.

Ap­pli­ca­tions signed with an Ap­ple-is­sued de­vel­oper cer­tifi­cate can also be in­stalled on the lat­est ver­sions of macOS with­out trig­ger­ing se­cu­rity er­rors or re­quir­ing man­ual over­rides, so it’s not hard to see why this would be valu­able to a mal­ware pro­gram. It’s not clear if Dok’s cre­ators paid to ob­tain a de­vel­oper cer­tifi­cate by join­ing Ap­ple’s de­vel­oper pro­gram with a fake iden­tity or if they stole the cer­tifi­cate from a le­git­i­mate de­vel­oper.

Once in­stalled on a Mac, OSX/Dok dis­plays a fake and per­sis­tent no­ti­fi­ca­tion about a sys­tem se­cu­rity up­date that needs to be in­stalled. Users who agree to in­stall the up­date will be prompted for their ad­min­is­tra­tor pass­word.

Once the mal­ware ob­tains el­e­vated priv­i­leges, it will make the ac­tive user a per­ma­nent ad­min­is­tra­tor so the OS will never ask for the pass­word again when the mal­ware ex­e­cutes priv­i­leged com­mands in the back­ground.

Dok will also mod­ify the sys­tem’s net­work set­tings to route web traf­fic through a proxy server con­trolled by the at­tack­ers and lo­cated on the Tor anonymity net­work. In or­der for this to work, it also in­stalls a Tor client that’s started au­to­mat­i­cally. The rea­son why web traf­fic is routed through a proxy server is to per­form a man-in-the-mid­dle (MitM) at­tack and de­crypt se­cure HTTPS con­nec­tions. This

Newspapers in English

Newspapers from UK

© PressReader. All rights reserved.