New Mac malware is mysteriously pushing the Signal private-messaging app onto victims’ mobile devices as part of a scheme to steal their banking credentials.
The threat, which goes by the name OSX/Dok, uses phishing mail laden with a malicious application as its attack vector. Those who crafted this campaign purchase Apple certificates (US $99) to sign their malicious application. Such willingness helps the malware bypass Gatekeeper’s ever-watchful gaze.
Upon successful installation, OSX/Dok modifies the OS settings with a shell command that disables security updates. It also alters the local host file so that all communication with various Apple websites, as well as VirusTotal, gets redirected to the local machine. These changes prevent the machine from contacting outside services that the victim could use for detection and recovery.
Next, OSX/Dok gets to work with its pre-show: a man-in-the-middle (MitM) attack designed to intercept the victim’s traffic. For this trick, it installs the Tor browser and a proxy before geolocating the hapless user and sending over some approximately proxy file settings.
Ofer Caspi of Check Point’s malware research team explains the point behind these efforts:
“The proxy file will redirect all traffic to the mentioned domains, used mainly by banks (such as ‘credit-suisse’, ‘globalance-bank’, ‘cbhbank’’ etc.) or other financial entities, to the local proxy that the malware had set up on the local machine. The proxy will then redirect it to the malicious C&C server on TOR (currently is ‘m665veffg3tqxoza.onion’). This way, once the victim tries to visit any of the listed sites, they will be redirected to a fake website on the attacker’s C&C server.”
Only after it has completed its MitM attack does OSX/Dok strap in for its main event. When the victim visits a web page for one of the targeted banks, they see a malicious copy of the actual bank’s website prompting them to download an application onto their mobile devices “for security reasons.”
If the user submits a working phone number, the attackers send them a link to download the mobile application. At this time, those behind this malware campaign are sending victims a link to Signal, the encrypted messaging app.
Caspi is not exactly sure why OSX/Dok’s handlers are pushing Signal onto victims. But he has a theory:
“It is possible that Signal installed on the victim’s mobile device would allow the attacker to communicate with the victim at a later stage, as the perpetrator is not necessarily active at the same time the victim reaches for the banking site. Using Signal may make it easier for the attacker to masquerade as the bank and trick the victim into providing the SMS they had received from the real bank , when the attacker tries to log in to the site (in case the credentials alone are not enough due to the 2FA). Similarly, the perpetrator might use Signal to commit additional fraudulent activities against victim at a later time. Whatever the goal may be, Signal will possibly make it harder for law enforcement to trace the attacker.”
Finally, the criminals then gain access to the victim’s bank account, at which point in time they can do whatever they want with it.
Troubling? Yes. Preventable? You betcha.
An isolated incident? Perhaps not for long.
You see where this could be going? Let Caspi spell it out for you:
“The fact that the OSX/Dok is ported from Windows may point to a tendency. We believe more Windows malware will be ported to macOS, either due to the lower number of quality security products for macOS compared to the ones for Windows, or the rising popularity of Apple computers. According to Gartner, Macs have more than tripled their total market share in less than a decade.”
With the influx of macOS-based malware ported from Windows-based threats as a distinct possibility, it’s important that Mac users take some steps to protect their computers.
First of all, they need to lose that “holier-than-thou” attitude and realize EVERYONE – not just Windows users – are vulnerable to malware. Then the healing can begin with the installation of an anti-virus solution. And don’t forget to avoid suspicious links and email attachments!
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.