New Stealth Mac Malware targets users through Spam Emails

New Stealth Mac malware targets users through spam emails. Stealth Malware dubbed Dok uses Tor to evade detection and a rogue Apple certificate to intercept encrypted browser traffic. Security researchers say the malware has been targeting users in Europe.

Check Point researchers said:

“Dok is the first major scale malware to target OSX users via a coordinated email phishing campaign”.

This Stealth malware affects all OSX versions and at the time of discovery, had 0(zero) detections on Virus Total, the popular online malware tracking platform, indicating that it functioned in stealth mode. The researchers said the Dok malware used a rogue but “valid” Apple developer certification to intercept encrypted web traffic.

How Malware come via Spam mails?

The spam emails come with a malicious document named, which unzips to an app named Truesteer.AppStore. Upon execution, the app is capable of copying itself to another location on the victim’s computer, deleting the original file and displaying a pop-up error message informing the user that the document couldn’t be opened.

The malware then deletes the AppStore application on the victim’s computer and instead adds a new login item, which according to Check Point researchers “will persist in the system and execute automatically every time the system reboots, until it finishes to install its payload”.

Ofer Caspi – Check Point Malware Researcher said:

“The malware mostly targets European users. For instance, one phishing message was observed to target a user in Germany by baiting the user with a message regarding supposed inconsistencies in their tax returns.”

The malware tricks the victim to enter his/her password by creating a new window that urges the victim to install a security update.

Caspi said that, “The victim is barred from accessing any windows or using their machine in any way until they relent, enter the password and allow the malware to finish installing. Once they do, the malware gains administrator privileges on the victim’s machine.”

Dok uses MITM (Man in the Middle) attacks to install a new root certificate on the infected system, which in turn allows hackers to intercept all of the victim’s web traffic.

Caspi said that, “By abusing the victim’s new-found trust in this bogus certificate, the attacker can impersonate any website, and the victim will be none the wiser.”

How to prevent it?

Hackers are increasingly using spam emails to launch large-scale cyberattack campaigns. It is important to be wary of any software that requests root password. Another key aspect to be aware of is spam emails.