New 'Dok' malware targets Macs using signed Apple developer certificate

Posted:
in macOS
A new strain of malware targeting Mac users is attempting to slip past defenses through a phishing scheme and a signed Apple developer certificate -- though in practice, it may still not pose much of a threat.




The code, dubbed "Dok" by security firm Check Point, is said to affect "all versions" of macOS/OS X, and be the first "major scale" malware directed at Mac owners through a "coordinated email phishing campaign." The emails are aimed mostly at Europeans, one example being a German-language message from a supposed Swiss official, claiming problems with the target's tax return.

While Dok's signed certificate allows it to bypass Apple's Gatekeeper, infection is unlikely because victims must not only choose to download an attachment but enter their root password twice during the installation process, for instance after a fake OS X update window pops up asking users to install a security fix.

People who do fall prey, however, will find all of their communications vulnerable to intercept by the responsible hacker(s), even over SSL.

Macs are generally assaulted by malware less frequently than Windows, but incidents have been on the rise as Macs gain in popularity. In recent months a slew of attacks have been reported, some of them with prominent targets, like biomedical research, the defense industry, and human rights advocates.

To help counter threats, Apple has launched a bug bounty program similar to ones at other high-tech firms like Google. Security experts can potentially earn as much as $200,000 for exposing vulnerabilities in the company's code.

Comments

  • Reply 1 of 4
    magman1979magman1979 Posts: 1,222member
    "While Dok's signed certificate allows it to bypass Apple's Gatekeeper"

    So based on this, it's a developer certificate, and since this is now publicized, will be revoked by Apple before the day is out, rendering this so-called "virus" inert.

    Another non-story, move along.
    wlymelijahg
  • Reply 2 of 4
    linkmanlinkman Posts: 1,016member
    What happens if you have a revoked certificate for that app but you have set Gatekeeper to allow apps downloaded from anywhere? Will it warn you? Will it prevent it from running even though it's sort of allowed? 
  • Reply 3 of 4
    sergiozsergioz Posts: 338member
    linkman said:
    What happens if you have a revoked certificate for that app but you have set Gatekeeper to allow apps downloaded from anywhere? Will it warn you? Will it prevent it from running even though it's sort of allowed? 
    When certificate is reworked App would not be able to establish a secure connection to call back, which would deem the malware useless.

    Gatekeeper has no impact in this instance! 

    I recommend using OpenDNS to protect your self from malware on Mac.
  • Reply 4 of 4
    linkmanlinkman Posts: 1,016member
    sergioz said:
    linkman said:
    What happens if you have a revoked certificate for that app but you have set Gatekeeper to allow apps downloaded from anywhere? Will it warn you? Will it prevent it from running even though it's sort of allowed? 
    When certificate is reworked App would not be able to establish a secure connection to call back, which would deem the malware useless.

    Gatekeeper has no impact in this instance! 

    I recommend using OpenDNS to protect your self from malware on Mac.
    I think you are mixing up Apple developer certificates issued by Apple and certificates issued by CAs that can be used in SSL connections.
Sign In or Register to comment.