‘Dok’ Malware on MacOS ⇥ blog.checkpoint.com

Ofer Caspi of Check Point Software:

People often assume that if you’re running OSX, you’re relatively safe from malware. But this is becoming less and less true, as evidenced by a new strain of malware encountered by the Check Point malware research team. This new malware – dubbed OSX/Dok — affects all versions of OSX, has 0 detections on VirusTotal (as of the writing of these words), is signed with a valid developer certificate (authenticated by Apple), and is the first major scale malware to target OSX users via a coordinated email phishing campaign.

Once OSX/Dok infection is complete, the attackers gain complete access to all victim communication, including communication encrypted by SSL. This is done by redirecting victim traffic through a malicious proxy server.

Glenn Fleishman, Macworld:

Apple confirmed that Gatekeeper wasn’t bypassed. That developer certificate has been revoked, which will prevent it launching in the future without a warning. Apple has confirmed that it updated XProtect, its silent malware signature system, to ward it off as well. There’s no indication about how many users might have been infected, as Check Point’s research team encountered it in the wild.

The malware is only able to execute its payload by requiring the user to jump through a lot of manual steps — including, of course, typing an administrator’s password. MacOS requires administrator-level privileges on a semi-regular basis; a user might type their admin password into a prompt at least a few times every week without really thinking about it. As much as all of us are aware that we shouldn’t open sketchy email attachments, we should also be very cautious of any request for a system admin password.

Fortunately, Apple has an existing asset that would make the Mac far more secure: the Mac App Store. Apps there are vetted and, because of the store’s rules, would never ask a user for an admin password. If the Mac App Store were part of a healthier ecosystem, I think more users would see it as their first choice and, consequently, be more concerned when any app requests an admin password.