macOS Trojan OSX / Dok installs Messenger Signal and steals banking data

According to the renowned software company Check Point is the macOS Trojan OSX / Doc back, and this time he installs Messenger Signal while he also steals account details for online banking. The latter basically works without a signal, which is why the messenger app is assigned different roles by the digital security experts. It is possible that it only serves as a placeholder for mobile attacks on the iPhone for fraudsters who want to steal bank data with the macOS Trojan OSX / Dok.

If you use an Apple Mac, iMac or MacBook to do online banking, you shouldn't come across the OSX / Dok trojan that attacks Mac OS X and macOS.

Mac Trojans: OSX / Doc since April 2017 under the microscope

As early as April 2017, Check Point was rolled into one Post pointed out the Mac malware that attacks Apple users' data. Even then, the attackers 'goal was to read out the victims' communications - also and above all those who run over encrypted SSL data lines. The goal of OSX / Dok is clearly data theft by spying on confidential information, email addresses and passwords. In addition, according to Check Point, there is now the same problem as in April: users of Apple Mac, MacBook and iMac in Europe are particularly affected.

Worth reading: Do I need antivirus software on the Mac or MacBook?

New version malware: banking information and Signal Messenger

[...] the sneaky actors behind [the OSX / Doc malware] don't give up yet. They target the victim's banking credentials by mimicking sites from major banks.

This gives Check Point in a current Articles known. In addition to spying on login data for online banking, Mac users are called upon to install an app on their smartphone (iPhone). A QR code is provided for this in order to bypass authentications.

The app is currently the messenger Signalwho can take on the following roles:

• Bypassing / simulating the two-factor authentication that is otherwise implemented via SMS
• Placeholder that the cyber criminals exchange with their own app in later versions of the malware
• Communication path for further malware, blackmail (Ransomware) or similar
• Measuring the success of the malware, which is apparently high in many installations

Why is the malware not recognized by the Apple Mac?

Apple and the individual products from iMac and Mac to MacBook to iPhone and iPad have long been considered secure and invulnerable. Due to the growing popularity and number of users, cyber criminals are now making much more effort and finding ways to infiltrate your Mac as well. Viruses, malware, ransomware, Trojans and more are no longer just a problem for Microsoft Windows and users of a PC. For example, the attackers buy Apple certificates in order to evade Apple's GateKeeper security program.

Fake bank page using the example of Credit Suisse

In the linked post by Check Point you will find a comprehensive representation of the fake page that is displayed due to the OSX / Dok malware when the victim uses online banking Credit Suisse want to operate. This bank is only one example, since in addition to banks in Switzerland, Germany and Austria, other banking sites in Europe are / may be affected. In any case, on the fake page you get a message about the "modernization of the security system" and you are asked to install the mobile application:

Source: Check Point

This is how you recognize a fake bank page

The pages are mostly the same as pods, even the current security notice on the real Credit Suisse page, which one is on Phishing e-mails indicates can be accepted. However, here are three characteristics by which you can recognize a fake online banking site that is related to the Mac Trojan:

This is how redirecting to the fake page works

The OSX / Dok Trojan initially locates the victim using its IP address. Depending on the geographic position, the proxy is then selected, which redirects to the C&C server (Command and Control) in the correct language via the Tor network and the Dark Net. Or to put it another way: if a bank page is called up, the user does not come to the page on the bank's servers, but is directed to the fake page on the attacker's servers. If you want to see which bank URLs are affected, then I recommend this overview from Check Point:

Source: Check Point

More information and tips

You can find even more information, notes and background information on the current threat for everyone who uses the Apple Mac for online banking in the linked articles from Check Point. There you will also find further graphics and details on the source code of the OSX / Dok trojan. Finally, I would like to suggest a few more articles from this blog:

• Data backup: backup copy as protection against ransomware
• Webcam cover and Camsticker® for iMac, MacBook, iPhone and iPad
• Oversight: Monitor camera and microphone for free
• Malwarebytes 3.0: Anti-Virus, Anti-Ransomware, Anti-Exploit and Web Protection
• Protect your Mac and network: Micro Snitch and Little Snitch

Johannes Domke

After graduating from high school, Johannes completed an apprenticeship as a business assistant specializing in foreign languages. But then he decided to research and write, which resulted in his independence. For several years he has been working for Sir Apfelot, among others. His articles include product introductions, news, manuals, video games, consoles, and more. He follows Apple keynotes live via stream.