Apple has revoked a legitimate certificate harnessed by a new strain of Mac malware which spies on all victim communication.
The sophisticated malware, dubbed OSX.Dok, affects all versions of Apple's OS X operating system, has no detections on VirusTotal at the time of writing and was, until recently, signed with a valid developer certificate which is authenticated by Apple as part of the tech giant's security practices.
According to Check Point researchers, OSX.Dok represents "the first major scale malware to target OS X users via a coordinated email phishing campaign."
The malware, which tends to target European users, spreads through malicious emails and attachments.
The malware is contained in a .zip archive named Dokument.zip, which was signed on 21 April this year under the bundle name "Truesteer.AppStore" by "Seven Muller."
Once executed, the malware copies itself into the Mac /Users/Shared/ folder, and then runs to display fake messages which claim the "package is damaged" and cannot run. If a loginItem named "AppStore" exists, OSX.Dok wipes it and adds itself as a loginItem instead, maintaining persistence in the system and executing every time the machine is rebooted.
Now, the true damage begins. The malware first creates a window which stays on top of all other windows which contains a message claiming there is a security problem in the operating system.
In order to resolve the issue, the message requests that the victim downloads an "update" and enter their password as part of the security check.
The user is then barred from using their PC in any way until they enter their password and allow the malware to execute its payload. This, in turn, gives OSX.Dok administration privileges.
OSX.Dok then installs a package manager for OS X, Tor, and Socat before changing the victim's network to push all outgoing connections through a malicious proxy server. A new root certificate is also installed which gives attackers the opportunity to intercept this traffic through a Man in The Middle (MiTM) attack.
"Once OSX/Dok infection is complete, the attackers gain complete access to all victim communication, including communication encrypted by SSL," Check Point says. "By abusing the victim's new-found trust in this bogus certificate, the attacker can impersonate any website, and the victim will be none the wiser."
Check Point suggests that a legitimate certificate was hijacked, and now Apple is aware of the malware the certificate has been revoked. This is good news for potential victims as the malware will now not be accepted as legitimate software by OS X, but if it is already on your system, removing two LaunchAgents files should disable the malware.