it says it first appears as a phishing email. What does the email look like?
> On Apr 30, 2017, at 7:34 PM, John Robinson <profilecoven...@me.com> wrote: > > > Even though this is primarily in Europe and obtained by phishing I thought > you might want to be aware. > > John > > > > > Gatekeeper won’t stop this ‘major scale’ Mac malware > Killian Bell <http://www.cultofmac.com/author/killian-bell/>7:41 am, April > 28, 2017 > > <mac-malware.png> > > The OSX/Dok malware forces you to install a bogus OS X update. > Image: Check Point > > OSX/Dok, a new strain of “major scale” malware targeting macOS users, can > bypass the Gatekeeper feature that’s designed to block malicious software. > The newly identified trojan, which prevents you from doing anything on your > Mac until you install a bogus software update, also goes undetected by many > antivirus programs. > > As the macOS user base grows, so does the malware that targets it. According > to McAfee Labs, malware attacks designed for Mac computers rose 744 percent > in 2016 > <http://www.cultofmac.com/475297/mcafee-report-reveals-mac-malware-skyrocketed-2016/>, > with almost 460,000 samples discovered. The latest is particularly worrisome. > > Uncovered by security researches at Check Point > <http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/>, > OSX/Dok can hit all versions of macOS and OS X. It wasn’t recognized by > antivirus databases when it was first discovered, and it is considered by be > the first “major scale malware” to target Mac users. > > OSX/Dok malware targets all Macs > > The most troublesome aspect of this malware? It is signed with a valid > developer certificate that’s been authenticated by Apple, which means macOS > doesn’t see it as a threat and it isn’t blocked by Gatekeeper. The > certificate is dated April 21, 2017. > > “Once OSX/Dok infection is complete, the attackers gain complete access to > all victim communication, including communication encrypted by SSL,” explains > Check Point. “This is done by redirecting victim traffic through a malicious > proxy server.” > The malware is being distributed primarily in Europe via phishing emails that > encourage users to download a file that details supposed inconsistencies in > their tax returns. That file is named “Dokument.zip” when distributed among > users in Germany. > > How OSX/Dok Mac malware works > > When you open it, the malware copies itself to the /Users/Shared folder, then > proceeds to execute itself automatically. It also removes any trace of the > original download from the Downloads folder, and presents an error message > that hopes to convince users the file “could not be opened.” > > Little do they know that the malware has added itself as a Login Item with > the name “AppStore,” which runs automatically when they first start up their > Macs. It will continue to execute every time an infected Mac is started up > until it has successfully installed its payload. > “The malicious application will then create a window on top of all other > windows. This new window contains a message, claiming a security issue has > been identified in the operating system that an update is available, and that > to proceed with the update, the user has to enter a password.” > > Once you have received this popup, you cannot do anything with your Mac until > you agree to install the bogus update. And of course, entering your password > provides the malware with administrator privileges and it can continue the > next phase of its assault. > That includes installing a package manager that downloads and installs > additional tools, and providing the existing user account with admin > privileges immediately without the need to enter a password. It also alters > network settings to ensure all outgoing connections pass through a proxy. > > What OSX/Dok Mac trojan does > > Of course, that proxy sits on a malicious server on the “dark web,” and every > piece of data that passes through it gets collected. > “As a result of all of the above actions, when attempting to surf the web, > the user’s web browser will first ask the attacker web page on TOR for proxy > settings,” Check Point says. > > “The user traffic is then redirected through a proxy controlled by the > attacker, who carries out a Man-In-the-Middle attack and impersonates the > various sites the user attempts to surf. The attacker is free to read the > victim’s traffic and tamper with it in any way they please.” > Once the attacker has obtained the information they want, the malware will > remove itself from the infected machine. The user has no idea what was going > on in the background until it’s too late. > > > Via: The Hacker News > <http://thehackernews.com/2017/04/apple-mac-malware.html>_______________________________________________ > MacGroup mailing list > Posting address: MacGroup@erdos.math.louisville.edu > Archive: <http://www.mail-archive.com/macgroup@erdos.math.louisville.edu/> > Answers to questions: <http://erdos.math.louisville.edu/macgroup/>
_______________________________________________ MacGroup mailing list Posting address: MacGroup@erdos.math.louisville.edu Archive: <http://www.mail-archive.com/macgroup@erdos.math.louisville.edu/> Answers to questions: <http://erdos.math.louisville.edu/macgroup/>
