A new strain of Mac malware has been discovered by the malware research team at CheckPoint. The new bit of nastiness affects all versions of the Mac operating system, and spies on HTTPS traffic.
MacRumors notes the malware has been dubbed “DOK” and is being spread via an email phishing campaign specifically targeting macOS users, which researchers say is a first.
The malware works by gaining administration privileges in order to install a new root certificate on the user’s system. This enables it to gain access to all communications between the host Mac and the internet, including traffic flowing through connections encrypted with SSL.
The initial email purports to be informing the recipient of issues with their tax return, and requests that they download a zipped file attachment. The malware is hidden in the zipped file. The macOS built-in Gatekeeper security feature is said to ignore the threat, due to the malware’s valid developer certificate. The malware copies itself to the “/Users/Shared/” folder and creates a login item to make itself persistent, even if the system is rebooted.
The malware than presents a “security message” to the user, claiming an update is available for the system, requiring a password to be inputted. The Mac malware then uses the password to gain complete admin privileges, changing the network settings to send all outgoing connections through a proxy. It also installs additional tools that allow it to perform a man-in-the-middle attack on all internet traffic.
Researchers say the DOK malware has yet to be detected by any Mac antivirus programs, and is advising Apple to revoke the developer certificate associated with the app’s author immediately.