A new malware for macOS reads your HTTPS traffic

Mac os malware

For a long time users have thought that using a macOS operating system were protected them from malware when connecting to the Internet. Several years ago this may have been the truth, however, currently this concept is very far from reality. The truth of the matter is that every now and then there appear new threats that seek to infect Apple’s operating system as we are going to see below.

CheckPoint security experts reported the discovery of a new malware for macOS called OSX / Dok. This malware is relatively new and affects all versions of this operating system. It uses a signature authenticated and verified by Apple. Additionally there is no antivirus or VirusTotal that is able to detect it to this day.

Although it has not been confirmed yet, it is believed that this malware may have reached users through a large-scale spam campaign. This malicious software has the users of Europe as victims. Additionally, the highest number of infections have been detected in Germany.

The email used to carry out these computer attacks attached a file called Dokument.zip signed with the true signature as we have said before. When the victim tries to unzip the file, the malware is automatically copied to the / Users / Shared / folder and executed from there with the following 3 commands:

  1. chmod, to give malware execution permissions
  2. rm -fr, to remove the original Document.app file
  3. document, to run automatically

Once the malware is running, it will display a message on the victim’s system stating that serious security malfunctions were detected and that a security patch should be installed. When attempting to install this patch, the malware will prompt the administrator for the victim’s password.

Malware macOS fake security update

When the infection is complete, the hacker has full access to the victim’s system including the SSL-encrypted traffic that is forcing all traffic through a proxy controlled by the hacker. To do this, it uses a certificate signed by Comodo with which it can carry out an MITM attack.

This malware also installs other packages, such as brew that is used to redirect traffic through Tor network. Once the traffic is complete, the malware removes itself from the computer.

How to disinfect our macOS from this threat and how to protect ourselves from it?

As mentioned before this malware is reaching users through email, so the first step to protect, is to avoid downloading and running any type of file received through email. Also remember that no security software recognizes it, so they will not be able to protect us.

As for being infected by this malware then as mentioned before, once it finishes redirecting all traffic it is automatically deleted. So, the next step will be to check for the proxy settings of our system and removing any suspicious value that may appear in it. Along with the removal of certificates that are not recognized but are installed on the system such as the Comodo certificate that we can see on the CheckPoint website.


Please enter your comment!
Please enter your name here