​New Mac malware can intrude on Gmail and online bank connections

Just like Windows users need to be cautious of launching programs sent over email, so too do Macs owners.

A new malware program targeting Mac systems by using a program signed with an Apple-validated digital certificate can steal communications over Gmail and banking websites.

Security firm Check Point discovered a new strain of Mac malware that online criminals are spreading via mass email. According to its researchers, this is the “first major scale malware to target OSX users via a coordinated email phishing campaign.”

Mac malware, though less common than its Windows counterpart, isn’t new, however it’s typically distributed on websites rather than email. There are numerous instances of bogus Adobe Flash Player updates on the web carrying malware for Mac systems; sometimes they’re also signed with a real Apple Developer ID certificate to avoid triggering Apple’s security alerts for unsigned applications.

In the Windows world, malware delivered by spam email is common and sometimes exploit new Windows vulnerabilities, such as a recent batch of messages that targeted Australian organizations.

Malware laden email specifically for Mac systems isn't so common and Mac malware discovered by Check Point gives the attackers “complete access to all victim communication”. This includes communication on HTTPS pages which would, on a non-infected Mac, be protected by encryption.

Google, for example, ensures that communications between a browser and its Gmail servers are protected with encryption over an HTTPS connection. This security can be undone if malware is installed on the user's computer. HTTPS can be broken a number of ways, including by antivirus that are designed to inspect encrypted traffic for malware.

The attackers behind the new Mac malware, which Check Point labels OSX/Dok, undermines encryption between the user and web server by installing a new root certificate on the infected Mac, allowing them to sit between the end-user and the server.

“By abusing the victim’s new-found trust in this bogus certificate, the attacker can impersonate any website, and the victim will be none the wiser,” said Ofer Caspi, a member of Check Point’s malware research team.

While Mac users can in general trust Apple’s policy of trusting signed software, attackers can exploit the fact Apple permits macOS users to install software from the web, even though it discourages this in dialogue box warnings.

This malware locks victims into a series of dialogue boxes that convincingly impersonate legitimate macOS system dialogue boxes in order to trick the victim into entering the device’s password, which will allow the malware to complete installation.

The malware then changes the Mac’s network settings to allow outgoing connections of the attacker’s choosing, and then installs a new root certificate to allow the attacker to snoop on the computer’s messages.

“By abusing the victim’s new-found trust in this bogus certificate, the attacker can impersonate any website, and the victim will be none the wiser,” notes Caspi.

Once this is set, the malware launches two routines that ensure the infected Mac channels all online connections through the attacker’s server, allowing the attacker to control what the user sees when they attempt to connect to a site they believe they know, such as a banking site or other site that uses HTTPS.

The lesson here for Mac users is to view email from unknown senders with a cautious eye. Numerous instances of malware designed macOS (or Mac OS X) do exist, disproving the argument that it doesn’t. But while Mac malware is less common, it doesn’t hurt to be aware of those that do.