A security vendor has discovered a new type of Mac malware that listens in to HTTP and HTTPS traffic.
Revealed late last week by Check Point and dubbed OSX.Dok, the new malware was delivered as an email attachment. Europeans were the main target.
A sample email provided by the company purported to come from the Swiss government, and the attachment was supposedly a list of questions about the recipient's tax return.
You can read Check Point's detailed description of how the malware works, but in a nutshell it nags the user into installing a fake security update, in the process giving it administrator privileges.
{loadposition stephen08}The malware then configures the system to use a proxy server controlled by the attacker, and installs a certificate. Together, these measures allow a man-in-the-middle attack, listening to HTTP and HTTPS traffic and possibly tampering with it.
The malware was signed with a developer certificate, reducing the number of warning signs. But it did rely on recipients' naivety: apart from any other considerations, the covering email looked dodgy, and the "security update" notification had an unfamiliar format.
Apple has since revoked that developer certificate, and added Dok to the list of malware caught by XProtect. Additionally, Dok is now detected by many security products in addition to Check Point's offerings, including Ad-Aware, Avast, AVG, BitDefender, ClamAV, Kaspersky, McAfee, Sophos, Symantec and Trend Micro.
Completely removing all the items installed by the malware and reversing the other changes it makes is non-trivial. Malwarebytes provides some advice near the foot of this page.