OSX/Dok still stealing Apple certs to bypass GateKeeper.
OSX/Dok still stealing Apple certs to bypass GateKeeper.

Check Point researchers spotted a phishing campaign combined with a man-in-the-middle (MiTM) attack targets MacOS users and spreads the OSX/Dok malware to steal banking credentials by mimicking major banking websites.

Victims are lured through fake websites into installing an application on their mobile devices which could potentially lead to further infection and data leakage, according to a July 13 Check Point blog post.

Researchers spotted the discrepancies in the fake sites by their incorrect usage of the copyright years listed on the page, failure to possess the original Credit-Suisse SSL certificate and the authentication token in the URL.

Threat actors behind the campaign are even going as far as purchasing dozens of Apple certificates to sign the malicious application bundle in order to bypass GateKeeper, a macOS security features designed to prevent installation of unsigned application in the system.

The malicious application bundle also has a similar name as those used by Apple in an attempt to make it appear more credible to the victim. Despite Apple's efforts to revoke the compromised certificates, new ones are constantly appearing.

The malware has been upgraded to make detection and removal more difficult by modifying a victims OS settings to disable security updates and modifying the local host file in such a way that prevents the victim, and some Apple services, from communicating, the blog said.

This makes it so all traffic of the infected computer is prevented from reaching Apple's website or VirusTotal, a free online services for identifying various malware types.

Once infected, the malware installs the “Signal” messaging application for reasons that aren't completely clear to researchers. It is possible the messenger app will be used to bypass two-factor authentication, allow the attacker to communicate with the victim at a later stage, or enable the app to temporarily acquire install rate statistics to prove to the attackers that it is working.

“Unfortunately, the OSX/Dok malware is still on the loose and its owners continue to invest more and more in its obfuscation by using legitimate Apple certificates,” the post said. “The fact that the OSX/Dok is ported from Windows may point to a tendency.”

They went on to say they believe more Windows malware will start being ported over to Mac OS.