The End of Innocence

Unlock iPad Mini

The End of Innocence

And Tips to Keep your Apple devices safe.

For years, Windows users were the main target for malware writers, since Windows based systems got the larger chunk of the market. Mac users as a minority, have remained safe, and took no heed of warnings that the time of innocence would soon be over. The growing popularity of Mac devices is causing the malware for Macs to become a real threat these days. Security researchers at Check Point, have recently discovered the first “major scale” trojan for Apple’s desktop OS – OSX/Mac Dok.

The Mac Dok malware is spread through phishing emails. Such emails feature ZIP attachments, and trick users into downloading them. Once unzipped, installed and launched, the malware takes control over your system. Hence the nickname of it – trojan, like the Trojan Horse. You get a gift, but with a twist.

This is done to intercept your traffic and impersonate web-site. Like ticket selling sites or your bank on-line services. You might enter your credit card information, not knowing that the site is actually a fake one. Job done, the culprits can remove the malware from your system remotely and no one even knows it was ever there in the first place.

So, Survival Rule #1 goes: Never download ZIP files from untrusted sources. Period. The malware features a fake certificate in order to bypass Apple’s Gatekeeper verification, and gains full access to the device. The OSX/Mac Dok — affects all versions of OSX, has 0 detections on VirusTotal. Virus Total is the largest on-line list of viruses, trojans, malwares and adwares. Apple hasn’t issued a patch for this hole in the software yet, which is why it’s better to follow the proverb: Better safe than sorry.

The possible good news from this is that the malware mostly “doctors” European users. A user in Germany was baited with a message regarding alleged issues with the tax returns. The zipped archive was named Dokument.zip and signed on April 21th 2017 by a “Seven Muller”. The bundle name was Truesteer.AppStore. You got it? The criminals used the name of the trusted on-line store in order to lure the victim in.

What happens when you try to unzip the archive? The message pops up that the archive is damaged and cannot be executed. But, this is a lie. While you read this very message, the malware is being installed to the /Users/Shared/ folder. Then, it will go on and run the shell commands meant to replace the login item.

It’ll get stuck in the system and execute automatically every system reboot, until it finishes to install its payload. Then, a window opens on top of all the other windows. The message this window contains is innocent enough, it simply says, “You’ve got a security issue, and an update is available to patch it. Just put in your password, and you’ll be okay”. You can’t access other windows though, and you can’t close or minimize this one until you enter the password. The moment you do, the malware is given the administrator privileges on the infested machine.

What does mean for you? It means, the malware can install and run any software without you knowing it, let alone approving. OSX / Mac Dok then changes the network settings and route all outgoing connections through the malicious proxy server. The criminals can intercept all your actions online: banking, e-mailing, messaging, paying in online stores. They can impersonate you and hack protected sites and resources, as well.

To avoid all these troubles, please, follow the guide below:

Don’t open the attachments sent to you from unknown e-mail addresses. Never open them. Especially ZIP files. N-E-V-E-R. If you are emailed by some officially looking correspondent, i.e. tax office or your provider, check their official websites back to make sure the e-mail coincides. If you still have some doubts, contact them back and ask if they really send such e-mails.
If you’re sent a link from your pal, saying, “Oh, I’ve seen you in this picture, have a look, is it you?”, again check the friend back and ask if he or she really e-mailed you.
Do not download files from the sources other than iTunes and App Store.
Install the up-to-date antivirus software and turn on the anti-phishing add-on.