May 1, 2017 by

First Ever ‘Major Scale’ Mac Malware Hits Users with Phishing Campaign

Security researchers have discovered a new malware program that targets macOS users and is capable of spying on browsing traffic – even encrypted traffic – to steal users’ sensitive information.

Dubbed as OSX/Dok, the malware has been spotted targeting users in Europe via phishing campaigns. According to researchers from security firm Check Point, emails from the phishing campaign purported to be sent by a Swiss government agency that warned recipients about errors in their tax returns. The bogus email tricks users into downloading a ZIP file titled

When launched, the malware gains control of the target’s machine and enables attackers to listen in on the victim’s internet traffic to spy one’s activity. The discreet operation even comes with an auto-delete feature, to remove traces of the malware after the attackers have gathered what they need.

While this may sound like any usual-fare phishing scam, OSX/Dok is particularly unique in its threat because it was digitally signed with a valid Apple developer certificate at the time of development. These certificates are typically issued by Apple to members of its developer program, enabling devs to publish applications on the Mac App Store.

Moreover, the certificate enables applications to be installed on the latest variant of macOS by bypassing security controls or manual overrides.

When it is installed on a Mac, the malware displays a faux notification about a system security update that needs to be installed. Unsuspecting victims who agree to install the update will be prompted for their admin password. With these privileges, the malware makes the active user the permanent admin of the OS, ensuring a free ride for the malware to execute privileged commands as a background process.

From here, the malware modifies the system’s network settings to route all web traffic through a proxy web server on the Tor network. Fundamentally, this enables the proxy server to undertake a man-in-the-middle attack, allowing attackers to steal all sorts of sensitive information by snooping in on the user’s encrypted activity. This includes passwords, credit card details, financial information and more.

Apple has been notified of the malware and has since revoked the rogue developer certificate.

Image credit: Pexels.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Apple Partners Allianz to Offer CyberCrime Insurance Perks

A new partnership between Apple, Cisco and insurance firm Allianz SE will see businesses using...

Read more arrow_forward

Happy New Year: Researcher Drops MacOS Zero-Day Root Access Kernel Exploit

To ring in the new year, a security researcher on New Year’s Day disclosed an unpatched security...

Read more arrow_forward

Apple Pushes Update to Fix Major Mac OS Vulnerability

Apple has issued an emergency patch after admitting to a major security flaw that enabled anyone to...

Read more arrow_forward