Watch out for this money stealing macOS malware which mimics your online bank

A recently discovered strain of Apple Mac malware has begun mimicking major banking websites in an effort to steal login details from victims.

First uncovered in May, OSX.Dok affected all versions of Apple’s older OS X operating system and was initially used to spy on victims’ web traffic.

The malware was later modified to infect macOS users, and its latest variant has been updated to steal money and financial credentials, say researchers at Check Point.

This new Dok campaign is distributed via phishing emails relating to financial or tax matters, with the payload deployed via a malicious ZIP file that victims are urged to run. This latest attack specifically targets macOS users, with the malware partnered with a man in the middle attack that enables the perpetrators to spy on all victim communications, even if they’re SSL encrypted.

Dok appears to be highly sophisticated malware, shown by mutations in its code that make it more difficult to detect and remove — especially as Dok modifies the OS’ settings in order to disable security updates and prevent some Apple services from communicating.

Once installed on a system, Dok downloads TOR for the purposes of communication with a command and control server over the dark web, which helps to geolocate the victim and customise the attack according to location — with evidence suggesting the malware mainly targets users in Europe.

A proxy file is served to the victim depending on their location, with the aim of redirecting traffic to bank domains to a fake site hosted on the attacker’s C&C server, which harvests login credentials and allows the attacker to carry out bank transactions.

For example, a proxy setting for a Swiss IP address contains instructions for redirecting the victims’ attempts to visit banking websites local to the country, including Credit Suisse, Globalance Bank, and CBH Bank.

fake-mac-page.png
A fake bank login page, with the telltale signs highlighted, including wrong years of copyright, missing the original SSL certificate, and the missing auth token in the URL.Image: Check Point

After entering their login details, the user is prompted to provide their mobile number for supposed SMS verification. Obviously, this isn’t what the phone number is for; instead the attackers use it to prompt the victim into downloading a mobile application — as well as Signal, a legitimate messaging app.

It’s likely Signal is installed in order to allow the attacker to communicate with the victim at a later stage or to commit additional malicious or fraudulent activities, such as installing malware onto the mobile device. Whatever the intentions of using Signal are, researchers note that its use will “make it harder for law enforcement to trace the attacker”.

While the identity and location of those behind Dok is unknown, researchers note that the Apple malware is a version of the Retefe banking Trojan, which has been ported from Windows. Retefe has also been known to predominately target European banks.

Whoever is behind OSX.Dok, Check Point warns the malware is still on the loose and will be a threat for some time to come, especially if the attackers continue to invest in advanced obfuscation techniques.

Macs long had a reputation for being virus-free, but cybercriminals are increasingly turning their attention to Apple systems and distributing malware to users.