Apple blocks comms-snooping malware (The Register)

Apple has moved to thwart a malware attack that used a legitimate – probably hijacked – developer certificate, by revoking the cert.

Check Point wrote up the malware last week, calling “OSX/Dok” “the first major scale malware to target OSX users via a coordinated email phishing campaign”.

A hapless user who okayed all the stages of infection would end up having all their communications snooped – even HTTPS sessions encrypted with SSL.

The malware installation process included a legitimate-looking “your computer has a security problem” window that opened on top of all other windows, which Check Point captured:

The fake update alert

The fake nagware dialogue

If a user relents and okays the dialogue, the malware gets admin privileges, installs the Brew package manager, installs Tor and SORCAT, and forces the user’s connections through a proxy for snooping. The traffic interception is supported by the Comodo certificate installed by the malware.

According to Kaspersky’s Threatpost, Apple revoked the certificate on Sunday, US time, and also dropped an update to its XProtect anti-malware software. ®

Source: SANS ISC SecNewsFeed @ May 3, 2017 at 12:30AM