IT security researchers at Checkpoint recently discovered that a new malware has started to rise and is targeting Mac devices.
The malware is considered quite powerful as it can bypass Apple’s gatekeeper and effectively steal users’ credentials.
Apple rushing to revoke compromised certificates
It is relatively rare to hear news about Mac devices getting compromised due to malware. It is usually Windows that gets infected.
Nevertheless, perhaps due to the increasing popularity of Apple devices, cybercriminals have started to shift their focus from Windows to Mac, making users realize that Mac is not as safe as it is believed to be.
According got a blog post by Checkpoint, one of the things that the researchers pointed out is that the creators of the malware are purchasing as many Apple certificates as they can.
This is because they attach the certificate with the malware so that it can bypass Apple’s gatekeeper, which is essential, the only thing keeping away malicious software from entering devices.
As soon as Apple was informed of this, it rushed to revoke the many certificates it believes have been compromised. However, new certificates are appearing on the scene at an ever-greater speed.
How does the malware work?
The malware was first detected in May this year. However, at the time, all it did was steal credentials from websites and spied on network traffic. The new version, on the other hand, has many superior capabilities.
The malware mimics known banking websites in order to trick the users into entering their credentials. The scam begins by tricking the user into downloading infected files in spam emails.
As soon as the malware is installed, it disables all security protocols so that it is not detected and begins redirecting all the traffic from Apple servers to the local machine itself. Removal of the malware is difficult as it firmly embeds in the Apple system.
Subsequently, it connects to its command-and-control center through a TOR enabled connection and reads the IP address of the victim’s device.
This allows it to tailor its infection accordingly. For instance, the malware will present fake websites of banks that are present in the specific location of the victim.
The malware not only prompts the user into entering his/her credentials as part of logging into the fake websites but also makes the user download a legitimate message app called Signal.
Victims are asked for their phone numbers in order to get SMS authentication for this.
Although the intended purpose of making users download the messaging app is unknown, researchers, however, believe that it might be used to conduct further fraudulent activities or perhaps allow the attacker to assess the success rate of the scam by monitoring the number of downloads.
In any case, the attacker can track all the communication of the victim through the malware.
Similarities with Retefe
Retefe was a Trojan that targeted Windows in the same way that OSX/Dok is targeting Mac. As such, researchers believe that Retefe has essentially been ported from Windows to Mac.
This is quite worrisome as researchers predict more of such malware being ported from Windows to Mac. Given that Mac lacks the required security protocols to prevent infections from such malware, it can be quite catastrophic for Mac users in the future.
Users might still be safe
Despite the powerful threat the malware poses to Mac users, it is still not much of a concern as the malware relies on a very basic form of social engineering to execute itself.
That is, the user needs to download the executable from a phishing email. As long as users are aware of spam emails from unknown addresses, infections can be limited.