In Capsule:
- Checkpoint IT Researchers discovered a new malware - OSX/Dok.
- The malware targets MacOS devices, mostly perceived to be malware proof.
- The malware is supposed to be a mutated form of that detected in May 2017.
- The malware bypasses Apple GateKeeper by attaching legitimate Apple certificates along with.
- The attack is executed by phishing Email, which mimics to be from a reputed bank.
- The malware aims in stealing the victim’s bank credentials.
- The Email also prompts the user to install an app - SIGNAL
- Apple has initiated measures to counteract the malware, though it is very powerful.
- All macOS users must be aware and vigilant to diagnose the fake bank Emails.
Beware! The launch of new malware targets MacOS devices, powerful enough to bypass Apple’s GateKeeper, a security feature in macOS that aims to prevent installation of an unsigned application in the system with its default settings. Researchers at Checkpoint recently discovered a new malicious malware named OSX/Dok which targets MacOS devices, can easily bypass Apple’s GateKeeper and steal user’s credentials. The malware is predicted to be quite powerful and strong as it affects MacOS users, usually perceived as malware-proof.According to the Checkpoint blog post, they are aiming at the user’s banking credentials by mimicking major bank sites, and they are prompting the user to install an application on their device, which could cause further infection and data leakage from the device.This malware OSX/Dok has got advanced capabilities compared to the one which was detected in May 2017. It was only involved in stealing the credentials and spying on their network traffic. The new malware which is at a surge now could be a mutated form of the malware that was detected earlier. Researchers have tracked a tremendous hike in OSX/Dok samples in last few weeks. The attackers are purchasing a large number of Apple certificates, so as to attach them with the malware, potential enough to bypass the Apple’s GateKeeper.Apple has been informed already about this, and they are constantly revoking the compromised certificates while new ones are on significant rise daily.How OSX/Dok malware spread?The malware is spread through phishing campaign. First, it tricks the user sending a spam Email from known/reputed banking website and insist them to download the infected files.After the installation, the malware disables all the security protocols making it difficult for the security system to detect. It then redirects all traffic from apple server to the local machine itself. Then it enables communication with command-and-control center via TOR. This will probably clear the way to access the IP address of the user device. IP address will help the attacker to mark the banks within the Victim’s location and initiate the infection process.The attacker also prompts the user to download a legitimate messenger App called Signal. Users are asked to enter their phone number to get SMS authentication. The exact reason behind the installation of this application is not clear.There are possibilities that the installation is used to bypass the two factor (2FA) authentication, which is a process used in banking site for authentication. And also help the attacker communicate with the victim on later stages. It could also be to track the success rate by graphing the number of installations.Even though the malware is powerful and still on the loose, it will be less effective because most of the users are now very well aware of spam Emails. However, internet users have to be very vigilant and alert in the present scenario, to be safe against the rising cyber attacks. Disclaimer:
Secure Reading has no confirmed sources for the information shared in the above news/articles. It relies on various unconfirmed inputs, social media claims, and websites for its content, and cannot guarantee the accuracy, timeliness, and genuineness of the same. If there is any error in the news, and once it is brought up to our attention with relevant evidence, Secure Reading is willing to make necessary corrections as applicable.
