Apple revoked a legitimate developer certificate used by hackers behind malware dubbed OSX/Dok, which was able to eavesdrop on secure HTTPS traffic of infected systems. On Sunday, Apple also rolled out an update to its XProtect built-in antimalware software to fend off existing and upcoming OSX/Dok-type attacks.
OSX/Dok was reported by Check Point last week. According to researchers, an infected system allowed a malicious third party to gain “complete access to all victim communication” including those protected by SSL. Check Point said it’s unclear how many systems may have been impacted by the malware.
Attackers are able to eavesdrop on SSL-protected communication by redirecting a victim’s traffic through a malicious proxy server, explained Ofer Caspi, malware researcher with Check Point in a blog.
“When attempting to surf the web, the user’s web browser will first ask the attacker web page on TOR for proxy settings,” Caspi wrote. “The user traffic is then redirected through a proxy controlled by the attacker, who carries out a man-in-the-middle attack and impersonates the various sites the user attempts to surf. The attacker is free to read the victim’s traffic and tamper with it in any way they please.”
OSX/Dok was spread via a phishing attack, mostly targeting European users. In an email sent to targets, purportedly from the “Swiss tax office,” was a .zip file (Dokument.zip) that contained a malware bundle signed April 21, 2017 by Seven Muller, called Truesteer.AppStore, Caspi said.
Any user who double-clicked on the .zip file sets off the infection chain where malware copied itself to the /User/Shared folder and executed. Next, a pop-up message warns that the software bundle was damaged and couldn’t be opened.
“If a loginItem (Login Item) named ‘AppStore’ exists, the malware will delete it, and instead add itself as a loginItem, which will persist in the system and execute automatically every time the system reboots, until it finishes to install its payload,” Caspi said.
The warning window prompts the victim to enter a password. “The victim is barred from accessing any windows or using their machine in any way until they relent, enter the password and allow the malware to finish installing. Once they do, the malware gains administrator privileges on the victim’s machine,” according to the report.
With that access, the attackers install the package manager brew, used to install further tools Tor and SOCAT. The malware will then change the target’s network settings so that traffic passes through a proxy controlled by the attacker.
“The malware will then proceed to install a new root certificate in the victim’s system, which allows the attacker to intercept traffic using a man-in-the-middle (MiTM) attack. By abusing the victim’s new-found trust in this bogus certificate, the attacker can impersonate any website, and the victim will be none the wiser,” Caspi wrote.
What makes the malware so unique is that it impacted all versions of OSX and recorded zero detections on VirusTotal (as of last week), researchers said. “(OSX/Dok) is signed with a valid developer certificate (authenticated by Apple), and is the first major scale malware to target OSX users via a coordinated email phishing campaign,” according to Check Point the report.
Because the certificates used by the malware were valid, the macOS security features such as Gatekeeper recognized OSX/Dok as legitimate. The malware is then free to operate undetected.
Check Point theorizes that hackers were able to hijack a valid Apple developer’s certificate.