Malware installs Signal as part of scheme to steal Mac users' banking credentials

A harbinger of ported threats to come for Mac users?

Malware installs Signal as part of scheme to steal Mac users' banking credentials

New Mac malware is mysteriously pushing the Signal private-messaging app onto victims' mobile devices as part of a scheme to steal their banking credentials.

The threat, which goes by the name OSX/Dok, uses phishing mail laden with a malicious application as its attack vector. Those who crafted this campaign purchase Apple certificates (US $99) to sign their malicious application. Such willingness helps the malware bypass Gatekeeper's ever-watchful gaze.

Upon successful installation, OSX/Dok modifies the OS settings with a shell command that disables security updates. It also alters the local host file so that all communication with various Apple websites, as well as VirusTotal, gets redirected to the local machine. These changes prevent the machine from contacting outside services that the victim could use for detection and recovery.

MacbookNext, OSX/Dok gets to work with its pre-show: a man-in-the-middle (MitM) attack designed to intercept the victim's traffic. For this trick, it installs the Tor browser and a proxy before geolocating the hapless user and sending over some approximately proxy file settings.

Ofer Caspi of Check Point's malware research team explains the point behind these efforts:

"The proxy file will redirect all traffic to the mentioned domains, used mainly by banks (such as 'credit-suisse', 'globalance-bank', 'cbhbank’' etc.) or other financial entities, to the local proxy that the malware had set up on the local machine. The proxy will then redirect it to the malicious C&C server on TOR (currently is 'm665veffg3tqxoza.onion'). This way, once the victim tries to visit any of the listed sites, they will be redirected to a fake website on the attacker's C&C server."

Only after it has completed its MitM attack does OSX/Dok strap in for its main event. When the victim visits a web page for one of the targeted banks, they see a malicious copy of the actual bank's website prompting them to download an application onto their mobile devices "for security reasons."

The prompt to install a mobile phone application for security reasons.

The prompt to install a mobile phone application for security reasons.

If the user submits a working phone number, the attackers send them a link to download the mobile application. At this time, those behind this malware campaign are sending victims a link to Signal, the encrypted messaging app.

App install link

Caspi is not exactly sure why OSX/Dok's handlers are pushing Signal onto victims. But he has a theory:

"It is possible that Signal installed on the victim’s mobile device would allow the attacker to communicate with the victim at a later stage, as the perpetrator is not necessarily active at the same time the victim reaches for the banking site. Using Signal may make it easier for the attacker to masquerade as the bank and trick the victim into providing the SMS they had received from the real bank , when the attacker tries to log in to the site (in case the credentials alone are not enough due to the 2FA). Similarly, the perpetrator might use Signal to commit additional fraudulent activities against victim at a later time. Whatever the goal may be, Signal will possibly make it harder for law enforcement to trace the attacker."

Finally, the criminals then gain access to the victim's bank account, at which point in time they can do whatever they want with it.

Troubling? Yes. Preventable? You betcha.

An isolated incident? Perhaps not for long.

As it turns out, OSX/Dok is copy of the Windows-based Retefe trojan. Attackers have simply ported the malware to macOS.

You see where this could be going? Let Caspi spell it out for you:

"The fact that the OSX/Dok is ported from Windows may point to a tendency. We believe more Windows malware will be ported to macOS, either due to the lower number of quality security products for macOS compared to the ones for Windows, or the rising popularity of Apple computers. According to Gartner, Macs have more than tripled their total market share in less than a decade."

With the influx of macOS-based malware ported from Windows-based threats as a distinct possibility, it's important that Mac users take some steps to protect their computers.

First of all, they need to lose that "holier-than-thou" attitude and realize EVERYONE - not just Windows users - are vulnerable to malware. Then the healing can begin with the installation of an anti-virus solution. And don't forget to avoid suspicious links and email attachments!

Tags: , , , , ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , , , ,

12 Responses

  1. Bob King

    July 17, 2017 at 7:56 am #

    1. Use Chrome
    2. Install products from Objective-See.
    3. Don't listen to people who's only interest is to sell you a product you do not need.

  2. Kam Banwait

    July 17, 2017 at 8:19 am #

    Any recommendations on apps for Mac to scan for such apps?

    • Graham Cluley in reply to Kam Banwait.

      July 17, 2017 at 1:00 pm #

      AV-Test.org recently put anti-virus products for Mac through their paces.

      Read https://www.av-test.org/en/news/news-single-view/10-antivirus-suites-for-macos-sierra-put-to-the-test/

      A number of vendors do free anti-virus software for Mac users, so read up and try them out!

  3. Nik

    July 17, 2017 at 12:15 pm #

    It's just a ploy to sell snake oil, e.g. anti virus for Mac which is unneeded. AV for mac will not prevent human stupidity, e.g. clicking on a "malware laden" phishing email.

    If you click on an email link and install a program and then give the program administrator rights by entering your admin password, then nothing and no one can help you. You always have the right to compromise your own computer. And social engineering will always fool some.

    On windows, the first thing this malware will do is disable all the AV programs. I've also recently seen first hand that malware is stronger than AV software, I had some malware on a friends Windows computer that I could remove only by reinstalling Windows. I tried many different AV products, none of them actually removed the malware, it always found a way back in. This cost me 2 days of scanning, rebooting, deleting malware etc…

    For this reason I am not sure anyone needs AV on Windows either. It doesn't work. Same for Mac.

    • Graham Cluley in reply to Nik.

      July 17, 2017 at 12:58 pm #

      Hi Nik.

      If only everyone was as smart as you and never clicked on a dangerous attachment or dodgy link.

      Unfortunately, people do make mistakes – all the time. And so anti-virus software serves as a helpful safety net for them, reducing the chances of a successful infection.

      Furthermore, anti-virus software helps reduce the chances of being hit a threat which requires zero user interaction (such as drive-by downloads, remote code execution attacks, etc)

      My recommendation is that people should run anti-virus software on their home and business computers – both Windows and Mac. There are some great solutions out there available for free for home users if you're worried that this is just "snake oil".

  4. Mike

    July 17, 2017 at 2:14 pm #

    I've been hearing the "you're about to be over run" and "it's your turn now" with Malware warnings for a long time… Crickets… Nik is right – unless you're not too bright and you hand over unsolicited admin like hot cakes, you're fine.

    • Graham Cluley in reply to Mike.

      July 17, 2017 at 3:59 pm #

      I'm not saying anyone is about to be over run. There's definitely much less malware written for Mac than there is for Windows or Android, but that doesn't mean Mac malware doesn't exist and doesn't infect users in the real world.

      There are plenty of examples of real life Mac malware infection. Feel free to do the research yourself, or check on other reputable sources of computer security information.

      As a starter, I recommend you check up on the Flashback malware which infected over 600,000 Macs including a few hundred at a company in Cupertino…

  5. Bob king

    July 17, 2017 at 4:15 pm #

    New Mac malware is mysteriously pushing the Signal private-messaging app onto victims' mobile devices as part of a scheme to steal their banking credentials.

    Looks like it is for iOS not MacOS.

  6. Bob king

    July 17, 2017 at 4:16 pm #

    Signal is not an MacOS app or at least I could not find it on the App store.

    • Graham Cluley in reply to Bob king.

      July 17, 2017 at 4:24 pm #

      The malware is for Mac.

      It encourages you (for reasons best known to itself) to install the Signal app onto your mobile device.

  7. Alex

    July 17, 2017 at 5:21 pm #

    AV test lists MacKeeper in that list of tested suites. MacKeeper is at best unwanted software from a very shady company and at worst actively malicious. I can’t take AV test seriously if they consider MacKeeper a legitimate security program. Other reputable security tools for the Macintosh platform detect and remove MacKeeper as unwanted garbage.

    • Graham Cluley in reply to Alex.

      July 17, 2017 at 5:55 pm #

      If you read this website you'll see I've slagged off MacKeeper multiple times for its shoddy marketing practices.

      AV-Test.org, however, is only interested in the numbers. In short, how much malware can product XYZ detect?

      Reading AV-Test’s latest Mac comparison it's clear that MacKeeper dramatically underperforms its competitors when it comes to malware detection. Another nail in their coffin I expect.

      It's good that independent testing labs expose MacKeeper's poor performance. You shouldn't criticise AV-Test.org for doing that, especially if you're not a fan of MacKeeper in other areas.

Leave a Reply