Chapter in this post:
- 1 Mac Trojans: OSX / Doc since April 2017 under the microscope
- 2 New Version Malware: Bank Data and Signal Messenger
- 3 Why is the malware not recognized by the Apple Mac?
- 4 Fake bank page using the example of Credit Suisse
- 5 This is how you recognize a fake bank page
- 6 This is how redirecting to the fake page works
- 7 Further information and tips
According to the renowned software company Check Point is the macOS Trojan OSX / Doc back, and this time he installs Messenger Signal while he also steals account details for online banking. The latter basically works without a signal, which is why the messenger app is assigned different roles by the digital security experts. It is possible that it only serves as a placeholder for mobile attacks on the iPhone for fraudsters who want to steal bank data with the macOS Trojan OSX / Dok.

Mac Trojans: OSX / Doc since April 2017 under the microscope
As early as April 2017, Check Point was rolled into one Post pointed out the Mac malware that attacks Apple users' data. Even then, the attackers 'goal was to read out the victims' communications - also and above all those who run over encrypted SSL data lines. The goal of OSX / Dok is clearly data theft by spying on confidential information, email addresses and passwords. In addition, according to Check Point, there is now the same problem as in April: users of Apple Mac, MacBook and iMac in Europe are particularly affected.
Worth reading: Do I need antivirus software on the Mac or MacBook?
New version malware: banking information and Signal Messenger
[...] the sneaky actors behind [the OSX / Doc malware] don't give up yet. They target the victim's banking credentials by mimicking sites from major banks.
This gives Check Point in a current Articles known. In addition to spying on online banking credentials, Mac users are encouraged to App to install on your smartphone (iPhone). A QR code is provided to bypass authentication.
The app is currently the messenger Signalwho can take on the following roles:
- Bypassing / simulating the two-factor authentication that is otherwise implemented via SMS
- Placeholder that the cyber criminals exchange with their own app in later versions of the malware
- Communication path for further malware, blackmail (Ransomware) or similar
- Measuring the success of the malware, which is apparently high in many installations
Why is the malware not recognized by the Apple Mac?
Apple and the individual products from iMac and Mac to MacBook, iPhone and iPad have long been considered safe and unassailable. However, due to the growing popularity and number of users, cyber criminals are now making much more effort and finding ways to infiltrate your Mac as well. virus, malware, Ransomware, Trojans and more are no longer just the problem of Microsoft Windows and PC users. For example, the attackers buy Apple certificates to evade the Apple security program GateKeeper.
Fake bank page using the example of Credit Suisse
In the linked post by Check Point you will find a comprehensive representation of the fake page that is displayed due to the OSX / Dok malware when the victim uses online banking Credit Suisse want to operate. This bank is only one example, since in addition to banks in Switzerland, Germany and Austria, other banking sites in Europe are / may be affected. In any case, on the fake page you get a message about the "modernization of the security system" and you are asked to install the mobile application:

This is how you recognize a fake bank page
The pages are mostly the same as pods, even the current security notice on the real Credit Suisse page, which one is on Phishing e-mails indicates can be accepted. However, here are three characteristics by which you can recognize a fake online banking site that is related to the Mac Trojan:
Real Credit Suisse site | Fake site for data theft | |
SSL Certificate | "Credit Suisse Group AG (CH)" | "Secure" |
Authentication token in URL | "Auth? ~ ..." | "Auth? Language = ..." |
Years in copyright | 1997 – 2017 | 1997 – 2013 |
This is how redirecting to the fake page works
The OSX / Dok Trojan initially locates the victim using its IP address. Depending on the geo-position then the proxy selected, which redirects in the correct language to the C&C (Command and Control) server via the Tor network and the Dark Net. In other words: if a bank page is called up, the user does not come to the page on the bank's servers, but is directed to the fake page on the attackers' servers. If you want to see which bank URLs are affected, I recommend this overview from Check Point:

More information and tips
You can find even more information, notes and background information on the current threat for everyone who uses the Apple Mac for online banking in the linked articles from Check Point. There you will also find further graphics and details on the source code of the OSX / Dok trojan. Finally, I would like to suggest a few more articles from this blog:
- Data backup: backup copy as protection against ransomware
- Webcam cover and Camsticker® for iMac, MacBook, iPhone and iPad
- Oversight: Monitor camera and microphone for free
- Malwarebytes 3.0: Anti-Virus, Anti-Ransomware, Anti-Exploit and Web Protection
- Protect your Mac and network: Micro Snitch and Little Snitch
After graduating from high school, Johannes completed an apprenticeship as a business assistant specializing in foreign languages. But then he decided to research and write, which resulted in his independence. For several years he has been working for Sir Apfelot, among others. His articles include product introductions, news, manuals, video games, consoles, and more. He follows Apple keynotes live via stream.
Did you like the article and did the instructions on the blog help you? Then I would be happy if you the blog via a Steady Membership or at Patreon would support.
Maybe you won't get this trojan until you go to Check Point. All very dubious.
Separate multiple backups and slider for the camera, on the other hand, is a good tip and has been done by me for a long time.
And I don't even react to emails from banks. I also don't understand how PayPal, for example, still sends the notice of a new account overview by email.
Yes, that is the right attitude. Nothing really important comes from a bank via email. And certainly not an indication that the access data must be verified. Unfortunately, with PayPal you have the problem that information is sometimes sent by email. I would like them to have 2-factor authentication. That would make the story much less risky. LG! Jens