Skip to main content

Nasty Mac malware bypasses Gatekeeper, undetectable by most antivirus apps

We learned recently that macOS malware grew by 744% last year, though most of it fell into the less-worrying category of adware. However, a newly-discovered piece of malware (via Reddit) falls into the ‘seriously nasty’ category – able to spy on all your Internet usage, including use of secure websites.

Security researchers at CheckPoint found something they’ve labelled OSX/Dok, which manages to go undetected by Gatekeeper and stops users doing anything on their Mac until they accept a fake OS X update …

OSX/Dok does rely on a phishing attack as its initial way in. Victims are sent an email claiming to be from a tax office regarding their income tax return, asking them to open an attached zip file for details. This should, of course, immediately ring alarm-bells: no-one should ever open a zip file they aren’t expecting, even if it seems to be from a known contact.

But after that, the approach taken by the malware is extremely clever. It installs itself as a Login Item called AppStore, which means it automatically runs each time the machine is booted. It then waits for a while before presenting a fake macOS update window.

The victim is barred from accessing any windows or using their machine in any way until they relent, enter the password and allow the malware to finish installing. Once they do, the malware gains administrator privileges on the victim’s machine […]

The malware then changes the victim system’s network settings such that all outgoing connections will pass through a proxy, which is dynamically obtained from a Proxy AutoConfiguration (PAC) file sitting in a malicious server.

This means that literally everything you do on the Internet, even accessing secure servers using https connections, will pass through the attacker’s proxy. A bogus security certificate is also installed, allowing the attacker to impersonate any website without being flagged.

As a result of all of the above actions, when attempting to surf the web, the user’s web browser will first ask the attacker web page on TOR for proxy settings. The user traffic is then redirected through a proxy controlled by the attacker, who carries out a Man-In-the-Middle attack and impersonates the various sites the user attempts to surf. The attacker is free to read the victim’s traffic and tamper with it in any way they please.

The reason Gatekeeper doesn’t block the malware in the first place is that it has a valid developer’s certificate. This should make it easy for Apple to address, by revoking the certificate, but it of course set in motion again if the attackers can gain access to another certificate.

Check out our guide to protecting yourself from phishing attacks, and don’t necessarily believe what is shown in the browser URL bar.


FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear