We learned recently that macOS malware grew by 744% last year, though most of it fell into the less-worrying category of adware. However, a newly-discovered piece of malware (via Reddit) falls into the ‘seriously nasty’ category – able to spy on all your Internet usage, including use of secure websites.

Security researchers at CheckPoint found something they’ve labelled OSX/Dok, which manages to go undetected by Gatekeeper and stops users doing anything on their Mac until they accept a fake OS X update …

NordVPN

OSX/Dok does rely on a phishing attack as its initial way in. Victims are sent an email claiming to be from a tax office regarding their income tax return, asking them to open an attached zip file for details. This should, of course, immediately ring alarm-bells: no-one should ever open a zip file they aren’t expecting, even if it seems to be from a known contact.

But after that, the approach taken by the malware is extremely clever. It installs itself as a Login Item called AppStore, which means it automatically runs each time the machine is booted. It then waits for a while before presenting a fake macOS update window.

The victim is barred from accessing any windows or using their machine in any way until they relent, enter the password and allow the malware to finish installing. Once they do, the malware gains administrator privileges on the victim’s machine […]

The malware then changes the victim system’s network settings such that all outgoing connections will pass through a proxy, which is dynamically obtained from a Proxy AutoConfiguration (PAC) file sitting in a malicious server.

This means that literally everything you do on the Internet, even accessing secure servers using https connections, will pass through the attacker’s proxy. A bogus security certificate is also installed, allowing the attacker to impersonate any website without being flagged.

As a result of all of the above actions, when attempting to surf the web, the user’s web browser will first ask the attacker web page on TOR for proxy settings. The user traffic is then redirected through a proxy controlled by the attacker, who carries out a Man-In-the-Middle attack and impersonates the various sites the user attempts to surf. The attacker is free to read the victim’s traffic and tamper with it in any way they please.

The reason Gatekeeper doesn’t block the malware in the first place is that it has a valid developer’s certificate. This should make it easy for Apple to address, by revoking the certificate, but it of course set in motion again if the attackers can gain access to another certificate.

Check out our guide to protecting yourself from phishing attacks, and don’t necessarily believe what is shown in the browser URL bar.