Mac malware spies on encrypted browser traffic
Researchers found a new malware program for macOS that performs man-in-the-middle attacks, writes Lucian Constantin
Anew malware program that targets macOS users is capable of spying on encrypted browser traffic to steal sensitive information. Dubbed OSX/Dok by researchers from Check Point Software Technologies, was distributed via email phishing campaigns to users in Europe.
One of the rogue emails was crafted to look as if it was sent by a Swiss government agency warning recipients about apparent errors in their tax returns. The malware was attached to the email as a file called Dokument.zip.
What makes OSX/Dok interesting is that it was digitally signed with a valid Apple developer certificate. These certificates are issued by Apple to members of its developer program and are needed to publish applications in the official Mac App Store.
Applications signed with an Apple-issued developer certificate can also be installed on the latest versions of macOS without triggering security errors or requiring manual overrides, so it’s not hard to see why this would be valuable to a malware program. It’s not clear if Dok’s creators paid to obtain a developer certificate by joining Apple’s developer program with a fake identity or if they stole the certificate from a legitimate developer.
Once installed on a Mac, OSX/Dok displays a fake and persistent notification about a system security update that needs to be installed. Users who agree to install the update will be prompted for their administrator password.
Once the malware obtains elevated privileges, it will make the active user a permanent administrator so the OS will never ask for the password again when the malware executes privileged commands in the background.
Dok will also modify the system’s network settings to route web traffic through a proxy server controlled by the attackers and located on the Tor anonymity network. In order for this to work, it also installs a Tor client that’s started automatically. The reason why web traffic is routed through a proxy server is to perform a man-in-the-middle (MitM) attack and decrypt secure HTTPS connections. This