Major Scale Mac Malware on the Loose
Well, it really was only a matter of time before the virus writers turned their attention to the venerable Apple platform. Up until now, there have really only been “proof of concept” viruses that attack the Mac OS. There have been a few mass-distribution infections, but for the most part those only attacked users downloading pirated software. So it was basically Karma.
But in the immortal words of Jacques Clouseau:
There’s a new Trojan in town and it is extremely destructive.
The OSX/Dok Trojan will ruin your life – and your beloved Mac, just like all the myriad Windows based malware has been doing to the Microsoft camp for the last 2 decades. Remember the Michelangelo virus? Bueller? Bueller? Anyone? Anyone? It was one of the early mass-scale infections that just flat out destroyed all your data on Michelangelo’s birthday. Since then, the ante has been raised considerably with Ransomware. But up until right now, Mac users were justified in being smug about their relative invulnerability.
This is the first Major Scale malware to attack OSX and MacOS.
Most current anti-malware / antivirus products DO NOT Detect This Trojan.
OSX/Dok has so far been distributed in Europe via phishing emails alleging there are inconsistencies in the target’s tax return. That most likely will not be a limitation for long.
It is not detected by the Mac Gatekeeper, as its digital signature is considered legitimate. Normally, Gatekeeper would keep something like this from running, which is why OSX has been relatively invulnerable to infection for so long. OSX/Dok has cleverly circumvented the Gatekeeper function.
The malware bundle is contained in a .zip archive named Dokument.zip. It was signed on April 21th 2017 by a “Seven Muller” and the bundle name is Truesteer.AppStore.
Upon execution, the malware will copy itself to the /Users/Shared/ folder, and will then proceed to execute itself from the new location by running shell commands.
It forces the user to download and install a bogus update. Unless you accede to its demands, your computer is completely unusable.
Once the payload is installed, all your external communication is forwarded through a remote proxy server, so your web surfing and email is being handed off to a bogus server. The attacker has total control of your computer.
Currently, your best protection is to NEVER download / open an email attachment you cannot absolutely verify in advance.
Remember: “Most current anti-malware / antivirus products DO NOT Detect This Trojan.” Therefore, your only protection is to be extremely careful what emails you open and download from.
Read the full article on this topic by Check Point.