Nasty Mac malware bypasses Apple’s macOS Gatekeeper, undetectable by most antivirus apps

“We learned recently that macOS malware grew by 744% last year, though most of it fell into the less-worrying category of adware,” ben Lovejoy reports for 9to5Mac. “However, a newly-discovered piece of malware (via Reddit) falls into the ‘seriously nasty’ category – able to spy on all your Internet usage, including use of secure websites.”

“Security researchers at CheckPoint found something they’ve labelled OSX/Dok, which manages to go undetected by Gatekeeper and stops users doing anything on their Mac until they accept a fake OS X update,” Lovejoy reports. “OSX/Dok does rely on a phishing attack as its initial way in. Victims are sent an email claiming to be from a tax office regarding their income tax return, asking them to open an attached zip file for details.”

“But after that, the approach taken by the malware is extremely clever,” Lovejoy reports. “t installs itself as a Login Item called AppStore, which means it automatically runs each time the machine is booted. It then waits for a while before presenting a fake macOS update window.”

Read more in the full article here.

MacDailyNews Take: Never open an unexpected zip file, even if it’s from someone you know.

Checkpoint’s Ofer Caspi writes, “The malware mostly targets European users… All is left to say: beware of Trojans bearing gifts, especially if they ask for your root password.” More details via Checkpoint here.

8 Comments

  1. When I see growth rates in the range of 744%, I always wonder what the base and final values are. Growth from 1 to 3 represents a 200% increase, but may not be material in the grand scheme of things. If macOS malware grew by 744% last year, then the implication is that it entered the year at a relatively low level.

    I don’t like that the malware bypasses Gatekeeper and most antivirus apps. But the user has to agree to launch a zip file and install an application. I assume that the application falls into the “untrusted” category, so you would also have to approve bypassing that warning to install it. Furthermore, it is not all that clever to install it as a startup application. That is actually rather crude and, I imagine, easy to fix. Anyone who falls for this is woefully uninformed.

          1. Do you get it in your Gmail? I use FastMail mostly now, it’s moderately priced but they don’t vaccuum up my data. Gmail is still a secondary email but rarely used, mostly just newsletter subscriptions.

            1. No, not GMail. I’ve all but shut down my Gmail account. It all comes in to my iCloud mail account. I recently signed up with the revived LavaBit, but have not set it up on my gear yet.

              I also get plenty of phishing that fakes to be other services. Fed Ex, WhatsApp, LinkedIn, Apple…. They arrive from all over the world, which likely means BotNet.

              Because I turn every spam into SpamCop.net, the spam rat grapevine figured me out and I rarely received spam. But these BotNet bums don’t appear to share lists with one another. They just incessantly spam bomb the hell out of everything and everyone. I keep turning them in. But they don’t have to care because they have a BotNet!

            2. FastMail has been good about filtering. I forward all of my mail from a website email into my personal account and the spam that was ending up in the other inbox is almost all filtered now.

  2. I’ve been bitching about Apple’s easy-to-abuse Enterprise developer security certificate system for a couple years now. I’m going to bet that’s where the malware’s certificate came from:

    The reason Gatekeeper doesn’t block the malware in the first place is that it has a valid developer’s certificate.

    BAD Apple!

    Meanwhile, CSA Comodo is also in hot water for providing the bogus Internet security certificate:

    The malware will then proceed to install a new root certificate in the victim system, which allows the attacker to intercept the victim’s traffic using a Man in The Middle (MiTM) attack. By abusing the victim’s new-found trust in this bogus certificate, the attacker can impersonate any website, and the victim will be none the wiser.

    Both certificates are easily revoked. AND my security net pal Al Varnell has verified that the evil Apple security certificate HAS BEEN REVOKED.

    Meanwhile: The problem of stealing Apple Enterprise developer security certificates remains.

    Here is the source CheckPoint article. It provides further illustrations of the OSX.Trojan.Dok.A at work:

    http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.