A brand new malware is currently targeting all Mac users. The threat installs a Signal private-messaging application onto victims’ mobile devices in order to steal their banking credentials.
The Mac virus is called OSX/Dok and it uses phishing mail laden with a malicious application using it as its attack vector. The hackers who started this campaign buy Apple certificates in order to sign their malicious application.
Being installed on the devicse, the OSX/Dok malware modifies the OS settings with a shell command which disables the security updates. Then, the threat alters the local host file to redirect all the communication with different Apple websites to the local computer.
All the above-mentioned modifications prevent the computer from contacting outside services which could help the victims recover their files.
After that the OSX/Dok malware starts its pre-show: a man-in-the-middle (MitM) attack designed to intercept the victim’s traffic. In order to do that, the malware installs the Tor browser on the device and a proxy before geolocating the user and sending over some proxy file settings.
A security expert from Check Point’s malware research team states:
“The proxy file will redirect all traffic to the mentioned domains, used mainly by banks (such as ‘credit-suisse‘, ‘globalance-bank’, ‘cbhbank’’ etc.) or other financial entities, to the local proxy that the malware had set up on the local machine. The proxy will then redirect it to the malicious C&C server on TOR (currently is ‘m665veffg3tqxoza.onion’). This way, once the victim tries to visit any of the listed sites, they will be redirected to a fake website on the attacker’s C&C server.”
Once the virus has completed its MitM attack, OSX/Dok starts its main event. When the victims open a website of one of the targeted banks, they see a malicious copy of the actual bank’s website asking them to download an application onto their mobile devices “for security reasons.”
When submitting a working phone number, the hackers send users a link to download the mobile app. At the same time, the malware’s creators are sending the victims a link to Signal the encrypted messaging application.
The researcher from Check Point Ofer Caspi is not sure why OSX/Dok’s handlers are pushing Signal onto victims, but he already has a theory:
“It is possible that Signal installed on the victim’s mobile device would allow the attacker to communicate with the victim at a later stage, as the perpetrator is not necessarily active at the same time the victim reaches for the banking site. Using Signal may make it easier for the attacker to masquerade as the bank and trick the victim into providing the SMS they had received from the real bank , when the attacker tries to log in to the site (in case the credentials alone are not enough due to the 2FA). Similarly, the perpetrator might use Signal to commit additional fraudulent activities against victim at a later time. Whatever the goal may be, Signal will possibly make it harder for law enforcement to trace the attacker.”
The result is that in the end, the attackers gain access to the victims’ bank accounts, at which point in time they can do whatever they want with it.
After analyzing OSX/Dok, it turned out that the virus is a copy of the Windows-based Retefe trojan, which hackers have ported to macOS. So, considering this fact and Caspi’s statement bellow, Mac users should certainly take some steps to protect their computers:
“The fact that the OSX/Dok is ported from Windows may point to a tendency. We believe more Windows malware will be ported to macOS, either due to the lower number of quality security products for macOS compared to the ones for Windows, or the rising popularity of Apple computers. According to Gartner, Macs have more than tripled their total market share in less than a decade.”
