1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DOK malware massively targets Mac-OS users

Discussion in 'BlackHat Lounge' started by amoon, May 5, 2017.

  1. amoon

    amoon Jr. VIP Jr. VIP

    Joined:
    May 16, 2015
    Messages:
    1,553
    Likes Received:
    814
    Gender:
    Male
    Occupation:
    IM - BHW
    Location:
    Map–Territory
    According to the McAfee Labs, malware attacks on Apple's Mac computers were up 744% in 2016, and its researchers have discovered nearly 460,000 Mac malware samples, which is still just a small part of overall Mac malware out in the wild


    Today, Malware Research team at CheckPoint have discovered a new piece of fully-undetectable Mac malware, which according to them, affects all versions of Mac OS X, has zero detections on VirusTotal and is "signed with a valid developer certificate (authenticated by Apple)."


    Dubbed DOK, the malware is being distributed via a coordinated email phishing campaign and, according to the researchers, is the first major scale malware to target macOS users.

    The malware has been designed to gain administrative privileges and install a new root certificate on the target system, which allows attackers to intercept and gain complete access to all victim communication, including SSL encrypted traffic.

    Just almost three months ago, Malwarebytes researchers also discovered a rare piece of Mac-based espionage malware, dubbed Fruitfly, that was used to spy on biomedical research center computers and remained undetected for years.

    Here's How the DOK Malware Works:
    [​IMG]
    The malware is distributed via a phishing email masquerading as a message regarding supposed inconsistencies in their tax returns, tricking the victims into running an attached malicious .zip file, which contains the malware.

    Since the malware author is using a valid developer certificate signed by Apple, the malware easily bypasses Gatekeeper -- an inbuilt security feature of the macOS operating system by Apple. Interestingly, the DOK malware is also undetectable in almost all antivirus products.


    Once installed, the malware copies itself to the /Users/Shared/ folder and then add to "loginItem" in order to make itself persistent, allowing it to execute automatically every time the system reboots, until it finishes to install its payload.

    The malware then creates a window on top of all other windows, displaying a message claiming that a security issue has been identified in the operating system and an update is available, for which the user has to enter his/her password.

    Once the victim installed the update, the malware gains administrator privileges on the victim's machine and changes the victim system's network settings, allowing all outgoing connections to pass through a proxy.

    According to CheckPoint researchers, "using those privileges, the malware will then install brew, a package manager for OS X, which will be used to install additional tools – TOR and SOCAT."

    DOK Deletes itself after Setting up Attacker's Proxy
    [​IMG]
    The malware then installs a new root certificate in the infected Mac, which allows the attacker to intercept the victim’s traffic using a man-in-the-middle (MiTM) attack.


    Credits ---> TheHackernews.com
     
    • Thanks Thanks x 3
  2. Skyebug77

    Skyebug77 Jr. VIP Jr. VIP

    Joined:
    Mar 22, 2012
    Messages:
    1,931
    Likes Received:
    1,354
    Occupation:
    Marketing
    Location:
    Portland,Or
    They done broke any last hope of mac security....
     
  3. W9go

    W9go Jr. VIP Jr. VIP Premium Member

    Joined:
    May 16, 2011
    Messages:
    4,622
    Likes Received:
    930
    Gender:
    Male
    Occupation:
    chasing girls
    Location:
    chasing girls
    crap i stilll felt so much safer on my mac ......
     
  4. amoon

    amoon Jr. VIP Jr. VIP

    Joined:
    May 16, 2015
    Messages:
    1,553
    Likes Received:
    814
    Gender:
    Male
    Occupation:
    IM - BHW
    Location:
    Map–Territory

    Ya its still safer, but the number of malware recently discovered are interesting :)
     
  5. denzero

    denzero Jr. VIP Jr. VIP

    Joined:
    Oct 26, 2013
    Messages:
    130
    Likes Received:
    17
    Location:
    London
    You still have to download it, run the installer, accept two layers of security warnings before it can install itself. This is VERY different from the "where the hell did this virus come from?!!" on Windows.
     
    • Thanks Thanks x 1
  6. JustUs

    JustUs Power Member

    Joined:
    May 6, 2012
    Messages:
    626
    Likes Received:
    582
    All systems have malware. The problem with *nix is that people feel safe and do not use any malware detection. OSX is BSD Unix.