We’ve been telling you about the rising number of malware and security threats targeting Macs these past few months.
We have reported about the very first macro attack, external hacking peripherals like the PCILeech, backdoor trojans like Eleanor, webcam hijackers and even cross-platform threats like Mokes make their way to Apple’s platform.
Now, there’s a new malware campaign that’s reportedly targeting Macs with poisoned phishing emails.
Security researchers at Check Point said that they have discovered the first major scale trojan aimed at duping macOS users into downloading Dok, a kind of malware that can give the attackers full control of their machines.
Additionally, once installed, Dok can intercept and reroute web traffic to serve fake websites or to spy on user activity.
The Dok Campaign
According to Check Point, Dok is spread via a “coordinated email phishing campaign.” Would-be victims are sent an email with a ZIP attachment that contains the malicious payload. (The attachment, in Check Point’s report, is named “Dokument.zip”.)
Similar to other trojan malware phishing attacks, Dok requires a number of manual steps and deliberate actions from the user for it to successfully infect a machine.
First, the ZIP file attachment has to be saved and opened deliberately for the enclosed malware bundle to execute.
Once it executes, it will copy itself to a Mac’s shared user folder then executes shell commands, which will likely require the machine’s administrator password – to display a “file cannot be opened” message. It will then replace the official “AppStore” under the machine’s Login Items with a fake version that persistently launches itself with every reboot.
The malware will then create another window overlay that claims that a “security issue has been identified” and a “security update” is needed. Installing this “update” will again require the administrator password, which will give the malware all the permissions it needs to take over the machine.
Although it still requires deliberate actions from an administrator to have a machine infected, one peculiar thing stands out with this campaign; the malware is using a fake security certificate to fool the macOS Gatekeeper into thinking that it is a legitimate application from an identified developer.
Thankfully, Apple confirmed that Gatekeeper itself has not been bypassed and it has already revoked the faked developer certificate. This should now prevent Dok from installing or at least trigger a warning when there’s an attempt to install it.
As you can see, Dok requires deliberate user action to infect a machine. As usual, to protect yourself from such attacks, be wary of email attachments sent your way. It’s also a good idea to only allow applications from identified developers to install on your Mac.
This is also ample evidence that malware makers have started to shift their sights to Apple computers as well. The security gap between MacOS and Windows is closing and it may not be as wide as it was in the past.