‘Undetectable’ Mac Malware Can Spy on Encrypted Internet Traffic

Security researchers have discovered a new undetectable Mac malware plaguing all current versions of macOS and OS X, and it could be the first wide scale malicious attack solely targeting Mac users.

The newly discovered malware, dubbed DOK, currently has zero detections on VirusTotal, is invisible to most antivirus products, and it’s signed with a valid Apple developer certificate, according to the Malware Research team at digital security firm CheckPoint. Once installed on a machine, DOK allows attackers nearly complete access to all of the computer’s communication — including encrypted data. It does so by redirecting the machine’s traffic through a proxy server on the dark web.

The malware is currently being distributed to unwitting victims via an email phishing campaign. Currently, it’s mostly targeting users in western Europe, but the researchers added that it’s the first large-scale malware attack directed almost entirely at macOS users. The phishing campaign reportedly asks users to review inconsistencies in their tax returns, tricking them into running a malicious ZIP file. Because it’s an authenticated piece of malware, it bypasses Apple’s Gatekeeper security feature — which normally blocks such files from running.

Once installed on a machine, the malware creates a pop-up window claiming that a security issue has been discovered, asking for the user’s password. Once they do, the malware gains full administrative access, giving it the ability to install additional malicious tools — namely, TOR and SOCAT. DOK then installs a new root certificate on the macOS system, allowing attackers to impersonate any website that the victim might attempt to browse.

The end result is that attackers are able to carry out a Man-In-The-Middle attack, allowing them to view and tamper with a victim’s traffic. Reportedly, once it’s done attacking a system and setting up proxies, the original DOK malware deletes itself, making it even harder to detect.

Reportedly, Apple can resolve the issue fairly easily by revoking the authenticated developer certificate that is being used by the malware’s creators, according to The Hacker News. Most Mac users probably believe that they are far less susceptible to malware attacks than PC machines — but this is increasingly becoming untrue. According to McAfee Labs, malware attacks toward macOS computers skyrocketed 744% last year.

In the meantime, it’s highly recommended that users avoid clicking links or downloading files in messages or emails from unknown sources. Finally, exercise extreme caution before inputting your system’s root password into any software — no matter how legitimate it looks.