Mac Malware Ducks Apple’s Defenses, Reads Your Email

Senior Writer
Updated

Editor's Note: This article originally appeared on Laptop Mag.

OSX/Dok is the latest sophisticated piece of spyware to target MacBooks and other macOS machines, and it hit systems quite quickly by exploiting a security flaw in the desktop operating system. That flaw? The fact that a legitimate Apple developer's certificate, which you can get for $99 straight from Apple, will bypass Gatekeeper, the operating system's first line of defense.

Image: Jeremy Lips/Laptop MagImage: Jeremy Lips/Laptop Mag

OSX/Dok's distributors used the age-old tactic of targeting victims with a email attachment, which in this case contained malware that was signed with a legitimate Apple Developer Certificate. With that certificate, OSX/Dok could casually walk past macOS's Gatekeeper security like it owned the place, trick the user into giving it admin rights, then proceed to spy on the user's encrypted communications, including Gmail and online financial transactions.

MORE: Best Antivirus Protection for PC, Mac and Android

The malware, according to a blog post late last week by the Israeli security firm Check Point, comes bundled into an email attachment dubbed "Dokument.zip" attached to German-language emails claiming to be from Swiss government agencies inquiring about tax-return inconsistencies.

Once a user opens said ZIP file, the malware copies itself to the Users/Shared directory, then deletes the original copy in the Downloads directory. It then alerts the user with a fake error message claiming that the system can't open the Dokument file, and nags the user to enter his or her administrative credentials to install a system update. It won't let the user close the nag window until he or she relents.

Of course, providing OSX/Dok with admin credentials simply supercharges its abilities and allows the malware to execute high-level processes in the background, essentially owning your system.

Once it does so, OSX/Dok installs a Tor client and re-routes your web traffic through a proxy server, It even uses a (presumably stolen) web-security certificate to decrypt secure communications, then re-encrypt them on route so that the HTTPS padlock icon stays in place and the user is none the wiser. By performing that man-in-the-middle attack, OSX/Dok might be able to read your Gmail and Facebook postings, or even steal information about online purchases or online bank accounts.

MacWorld's Glenn Fleishman reported today (May 1) that Apple has revoked the developer certificate used by OSX/Dok. Gatekeeper should now block the malware if you leave it on its default settings, but it wouldn't take much of an update to OSX/Dok to try to trick the user into temporarily disabling Gatekeeper.

So, what can you do?

  • First off, just because you have a Mac doesn't mean you don't need antivirus software. Here are our favorite picks for macOS machines.
  • As always, we advise users to never open up email attachments they are not 100 percent certain about.
  • And for complete security, install the free XFENCE tool that stops rogue apps from taking over your system.