Harry, Here is an excerpt from an article I read this morning on how the hackers fooled those not paying attention.
John As with nearly all macOS malware, OSX/Dok requires a naive user who accepts at face value phishing email and willingly extracts and launches a file they were not expecting and which they’re unfamiliar with. The main exception to this was the subversion of two releases of the torrenting software Transmission, which had legitimate copies replaced by hacked ones. Those were also Trojan horses, but from software people intentionally downloaded and installed. With BlockBlock and XFence (formerly Little Flocker) installed, even if you had been trusting enough to carry out the steps to launch the malware, it would have been unable to write files or mark itself as launching on startup. (Both packages are free and in beta.) Mac users need to maintain vigilance against launching any file that wasn’t expected or is from an unknown party or one that claims to be tax, law-enforcement, or another authority. Even if the file appears to be from a known source, if it’s not something expected and in a format typically sent by that person or group, it might be a spearphishing attempt, in which faked return addresses are used to lull people into installing a Trojan horse. Sent from my iPad > On Apr 30, 2017, at 11:39 PM, Harry Jacobson-Beyer <[email protected]> wrote: > > it says it first appears as a phishing email. What does the email look like? > >> On Apr 30, 2017, at 7:34 PM, John Robinson <[email protected]> wrote: >> >> >> Even though this is primarily in Europe and obtained by phishing I thought >> you might want to be aware. >> >> John >> >> >> >> >> Gatekeeper won’t stop this ‘major scale’ Mac malware >> Killian Bell7:41 am, April 28, 2017 >> >> <mac-malware.png> >> >> The OSX/Dok malware forces you to install a bogus OS X update. >> Image: Check Point >> >> OSX/Dok, a new strain of “major scale” malware targeting macOS users, can >> bypass the Gatekeeper feature that’s designed to block malicious software. >> The newly identified trojan, which prevents you from doing anything on your >> Mac until you install a bogus software update, also goes undetected by many >> antivirus programs. >> >> As the macOS user base grows, so does the malware that targets it. According >> to McAfee Labs, malware attacks designed for Mac computers rose 744 percent >> in 2016, with almost 460,000 samples discovered. The latest is particularly >> worrisome. >> >> Uncovered by security researches at Check Point, OSX/Dok can hit all >> versions of macOS and OS X. It wasn’t recognized by antivirus databases when >> it was first discovered, and it is considered by be the first “major scale >> malware” to target Mac users. >> >> OSX/Dok malware targets all Macs >> >> The most troublesome aspect of this malware? It is signed with a valid >> developer certificate that’s been authenticated by Apple, which means macOS >> doesn’t see it as a threat and it isn’t blocked by Gatekeeper. The >> certificate is dated April 21, 2017. >> >> “Once OSX/Dok infection is complete, the attackers gain complete access to >> all victim communication, including communication encrypted by SSL,” >> explains Check Point. “This is done by redirecting victim traffic through a >> malicious proxy server.” >> The malware is being distributed primarily in Europe via phishing emails >> that encourage users to download a file that details supposed >> inconsistencies in their tax returns. That file is named “Dokument.zip” when >> distributed among users in Germany. >> >> How OSX/Dok Mac malware works >> >> When you open it, the malware copies itself to the /Users/Shared folder, >> then proceeds to execute itself automatically. It also removes any trace of >> the original download from the Downloads folder, and presents an error >> message that hopes to convince users the file “could not be opened.” >> >> Little do they know that the malware has added itself as a Login Item with >> the name “AppStore,” which runs automatically when they first start up their >> Macs. It will continue to execute every time an infected Mac is started up >> until it has successfully installed its payload. >> “The malicious application will then create a window on top of all other >> windows. This new window contains a message, claiming a security issue has >> been identified in the operating system that an update is available, and >> that to proceed with the update, the user has to enter a password.” >> >> Once you have received this popup, you cannot do anything with your Mac >> until you agree to install the bogus update. And of course, entering your >> password provides the malware with administrator privileges and it can >> continue the next phase of its assault. >> That includes installing a package manager that downloads and installs >> additional tools, and providing the existing user account with admin >> privileges immediately without the need to enter a password. It also alters >> network settings to ensure all outgoing connections pass through a proxy. >> >> What OSX/Dok Mac trojan does >> >> Of course, that proxy sits on a malicious server on the “dark web,” and >> every piece of data that passes through it gets collected. >> “As a result of all of the above actions, when attempting to surf the web, >> the user’s web browser will first ask the attacker web page on TOR for proxy >> settings,” Check Point says. >> >> “The user traffic is then redirected through a proxy controlled by the >> attacker, who carries out a Man-In-the-Middle attack and impersonates the >> various sites the user attempts to surf. The attacker is free to read the >> victim’s traffic and tamper with it in any way they please.” >> Once the attacker has obtained the information they want, the malware will >> remove itself from the infected machine. The user has no idea what was going >> on in the background until it’s too late. >> >> >> Via: The Hacker News >> _______________________________________________ >> MacGroup mailing list >> Posting address: [email protected] >> Archive: <http://www.mail-archive.com/[email protected]/> >> Answers to questions: <http://erdos.math.louisville.edu/macgroup/> > > _______________________________________________ > MacGroup mailing list > Posting address: [email protected] > Archive: <http://www.mail-archive.com/[email protected]/> > Answers to questions: <http://erdos.math.louisville.edu/macgroup/>
_______________________________________________ MacGroup mailing list Posting address: [email protected] Archive: <http://www.mail-archive.com/[email protected]/> Answers to questions: <http://erdos.math.louisville.edu/macgroup/>
