A malware research team has discovered a new piece of Mac malware that reportedly affects all versions of MacOS and is signed with a valid developer certificate authenticated by Apple (via The Hacker News).

The malware has been dubbed "DOK" and is being disseminated through an email phishing campaign which researchers at CheckPoint say is specifically targeting macOS users, making it the first of its kind.

Screen Shot 3 3
The malware works by gaining administration privileges in order to install a new root certificate on the user's system. This enables it to gain access to all communications between the host Mac and the internet, including traffic flowing through connections encrypted with SSL.

The initial email pretends to be informing the recipient of inconsistencies in their tax return and asks them to download a zip file attachment to their Mac that harbors the malware. Apple's built-in Gatekeeper security feature reportedly fails to recognize it as a threat because of its valid developer certificate, and the malware copies itself to the /Users/Shared/ folder and creates a login item to make itself persistent, even in a rebooted system.

The malware later presents the user with a security message claiming an update is available for the system, for which a password input is required. Following the "update", the malware gains complete control of admin privileges, adjusts the network settings to divert all outgoing connections through a proxy, and installs additional tools that enable it to perform a man-in-the-middle attack on all traffic.

Screen Shot 2 3
According to the researchers, Mac antivirus programs have yet to update their databases to detect the DOK malware, and advises that Apple revoke the developer certificate associated with the author immediately.

Back in January, researchers discovered a piece of Mac malware called Fruitfly that successfully spied on computers in medical research centers for years before being detected.

The latest discovery of malware, which appears to target predominantly European users, underlines the fact that Macs are not immune to the threat as is sometimes supposed. As always, users should avoid clicking links or downloading attachments in emails from unknown and untrusted sources.

Tag: Security

Top Rated Comments

netwalker Avatar
netwalker
91 months ago
The initial email pretends to be informing the recipient of inconsistencies in their tax return and asks them to download a zip file attachment to their Mac that harbors the malware.
People that actually do this should not have admin rights on their machines.
Score: 25 Votes (Like | Disagree)
darkpaw Avatar
darkpaw
91 months ago
Looking at the screenshot in this story, the spelling mistakes are enough for me to not want to click any further.

I received that email earlier today, but it's to an email address that's not associated with the tax people, so I immediately deleted it.

To avoid all this, I have my own domain and use a separate email for each company/service I interact with, i.e. tesco@mydomain.com, amazon@mydomain.com etc. When I receive spam to a given address, say, tesco@... I change the email for that service to tesco2@... and bin all emails that go to the original. It's a little bit of admin, but it cuts spam down a lot.
Score: 11 Votes (Like | Disagree)
spazzcat Avatar
spazzcat
91 months ago
Wow, more and more reports of malware occurring - need to be even more vigilant


The money quote right here, we as Mac users cannot blindly ignore the threat.
The IRS isn't going to email you zip file about your taxes. If fact no one you don't know is going to email you a zip file that is real.
Score: 7 Votes (Like | Disagree)
justperry Avatar
justperry
91 months ago
If People see "OS X Updates available" while on MacOs and still clicking Update All they should think first.

Not only that, always update through the AppStore and you won't get this.
.
.
.
.
.
.
.
Edited: Appsore=Appstore.
Score: 4 Votes (Like | Disagree)
shareef777 Avatar
shareef777
91 months ago
People that actually do this should not have admin rights on their machines.
Downloading ANY file in an email from someone you don't know is bad. If everyone knew that, then the internet would be a (slightly) safer place.
Score: 4 Votes (Like | Disagree)
newyorksole Avatar
newyorksole
91 months ago
Sooo you're only affected if you click/open suspicious links? Ok I'm safe.

Can't believe people believe these IRS emails/scams...
Score: 3 Votes (Like | Disagree)
Read All Comments

Popular Stories

iOS 18 Siri Integrated Feature

iOS 18 Rumored to Add These 10 New Features to Your iPhone

Wednesday April 24, 2024 2:05 pm PDT by
Apple is set to unveil iOS 18 during its WWDC keynote on June 10, so the software update is a little over six weeks away from being announced. Below, we recap rumored features and changes planned for the iPhone with iOS 18. iOS 18 will reportedly be the "biggest" update in the iPhone's history, with new ChatGPT-inspired generative AI features, a more customizable Home Screen, and much more....
Read Full Article
Apple Silicon AI Optimized Feature Siri

Apple Releases Open Source AI Models That Run On-Device

Wednesday April 24, 2024 3:39 pm PDT by
Apple today released several open source large language models (LLMs) that are designed to run on-device rather than through cloud servers. Called OpenELM (Open-source Efficient Language Models), the LLMs are available on the Hugging Face Hub, a community for sharing AI code. As outlined in a white paper [PDF], there are eight total OpenELM models, four of which were pre-trained using the...
Read Full Article86 comments
maxresdefault

Apple Announces 'Let Loose' Event on May 7 Amid Rumors of New iPads

Tuesday April 23, 2024 7:11 am PDT by
Apple has announced it will be holding a special event on Tuesday, May 7 at 7 a.m. Pacific Time (10 a.m. Eastern Time), with a live stream to be available on Apple.com and on YouTube as usual. The event invitation has a tagline of "Let Loose" and shows an artistic render of an Apple Pencil, suggesting that iPads will be a focus of the event. Subscribe to the MacRumors YouTube channel for more ...
Read Full Article280 comments
apple id account

Apple ID Accounts Logging Out Users and Requiring Password Reset

Saturday April 27, 2024 12:41 am PDT by
There are widespread reports of Apple users being locked out of their Apple ID overnight for no apparent reason, requiring a password reset before they can log in again. Users say the sudden inexplicable Apple ID sign-out is occurring across multiple devices. When they attempt to sign in again they are locked out of their account and asked to reset their password in order to regain access. ...
Read Full Article309 comments
macbook pro purple february

Best Buy Introduces Record Low Prices on Apple's M3 MacBook Pro for Members

Thursday April 25, 2024 7:41 am PDT by
Best Buy is discounting a collection of M3 MacBook Pro computers today, this time focusing on the 14-inch version of the laptop. Every deal in this sale requires you to have a My Best Buy Plus or Total membership, although non-members can still get solid second-best prices on these MacBook Pro models. Note: MacRumors is an affiliate partner with Best Buy. When you click a link and make a...
Read Full Article44 comments
macos sonoma feature purple green

Apple's Regular Mac Base RAM Boosts Ended When Tim Cook Took Over

Friday April 26, 2024 6:34 am PDT by
Apple used to regularly increase the base memory of its Macs up until 2011, the same year Tim Cook was appointed CEO, charts posted on Mastodon by David Schaub show. Earlier this year, Schaub generated two charts: One showing the base memory capacities of Apple's all-in-one Macs from 1984 onwards, and a second depicting Apple's consumer laptop base RAM from 1999 onwards. Both charts were...
Read Full Article400 comments