Potent OSX malware can gain root access, read HTTPS traffic in affected systems

A new malware named OSX/Dok is affecting all OSX versions and is able to read HTTPS traffic and gain admin privileges in affected systems.

The said malware uses a valid developer certificate from Apple, installs hacking tools and uses a proxy to divert all outgoing connections.

First exposed by security firm Check Point, the malware is presently immune from Apple's Gatekeeper security since it uses a valid developer certificate issued by Apple. As such, it has the potential to infiltrate large numbers of OSX systems across the world, observe their HTTPS traffic and conduct man-in-the-middle cyber-attacks to destroy systems and servers.

"Once OSX/Dok infection is complete, the attackers gain complete access to all victim communication, including communication encrypted by SSL. This is done by redirecting victim traffic through a malicious proxy server," wrote Ofer Caspi, a Malware Research team member at Check Point.

"The malware mostly targets European users. For instance, one phishing message was observed to target a user in Germany by baiting the user with a message regarding supposed inconsistencies in their tax returns," he added.

Malware uses a valid developer certificate from Apple, installs hacking tools and uses a proxy to divert all outgoing connections.

OSX users are sent phishing e-mails containing attachments whhich contain the malware. Once they download such attachments, the malware goes on to delete existing 'AppStore' loginItem and installs its own bundle Truesteer.AppStore in its place. The bundle then goes on to download its payload in systems via system reboots. When it is done, the malware then creates a new pop-up window which informs users to install a new update from the App Store. The pop up cannot be minimized and the user cannot perform any other task on his/her system until the update is completed. The update also asks the user to type in his password, which is then used by the malware to gain administrator privileges on the victim’s machine.

"The malware then changes the victim system’s network settings such that all outgoing connections will pass through a proxy, which is dynamically obtained from a Proxy AutoConfiguration (PAC) file sitting in a malicious server. The malware will then proceed to install a new root certificate in the victim system, which allows the attacker to intercept the victim’s traffic using a Man in The Middle (MiTM) attack. By abusing the victim’s new-found trust in this bogus certificate, the attacker can impersonate any website, and the victim will be none the wiser," Caspi added.

Such a potent malware, if not contained, may not only infiltrate systems, but may also read e-mails, steal passwords and spy on victims' web usage at all times. What Apple can do is revoke the developer certificate which the malware takes advantage of and introduce new checks to ensure similar malware aren't able to infiltrate OSX systems.