macOS Trojan OSX / Dok installs Messenger Signal and steals banking data

According to the renowned software company Check Point is the macOS Trojan OSX / Doc back, and this time he installs Messenger Signal while he also steals account details for online banking. The latter basically works without a signal, which is why the messenger app is assigned different roles by the digital security experts. It is possible that it only serves as a placeholder for mobile attacks on the iPhone for fraudsters who want to steal bank data with the macOS Trojan OSX / Dok.

If you do online banking with an Apple Mac, iMac or MacBook, then you should not use the
Trojaner OSX/Dok geraten, der das Mac OS X und macOS befällt. “ width=“620″ height=“290″ /> Wenn ihr per Apple Mac, iMac oder MacBook Online-Banking betreibt, dann solltet ihr nicht an den Trojaner OSX/Dok geraten, der das Mac OS X und macOS befällt.

Mac Trojans: OSX / Doc since April 2017 under the microscope

As early as April 2017, Check Point was rolled into one Post pointed out the Mac malware that attacks Apple users' data. Even then, the attackers 'goal was to read out the victims' communications - also and above all those who run over encrypted SSL data lines. The goal of OSX / Dok is clearly data theft by spying on confidential information, email addresses and passwords. In addition, according to Check Point, there is now the same problem as in April: users of Apple Mac, MacBook and iMac in Europe are particularly affected.

Worth reading: Do I need antivirus software on the Mac or MacBook?

New version malware: banking information and Signal Messenger

[...] the sneaky actors behind [the OSX / Doc malware] don't give up yet. They target the victim's banking credentials by mimicking sites from major banks.

This gives Check Point in a current Articles known. In addition to spying on online banking credentials, Mac users are encouraged to App to install on your smartphone (iPhone). A QR code is provided to bypass authentication.

The app is currently the messenger Signalwho can take on the following roles:

  • Bypassing / simulating the two-factor authentication that is otherwise implemented via SMS
  • Placeholder that the cyber criminals exchange with their own app in later versions of the malware
  • Communication path for further malware, blackmail (Ransomware) or similar
  • Measuring the success of the malware, which is apparently high in many installations

Why is the malware not recognized by the Apple Mac?

Apple and the individual products from iMac and Mac to MacBook, iPhone and iPad have long been considered safe and unassailable. However, due to the growing popularity and number of users, cyber criminals are now making much more effort and finding ways to infiltrate your Mac as well. virus, malware, Ransomware, Trojans and more are no longer just the problem of Microsoft Windows and PC users. For example, the attackers buy Apple certificates to evade the Apple security program GateKeeper.

Fake bank page using the example of Credit Suisse

In the linked post by Check Point you will find a comprehensive representation of the fake page that is displayed due to the OSX / Dok malware when the victim uses online banking Credit Suisse want to operate. This bank is only one example, since in addition to banks in Switzerland, Germany and Austria, other banking sites in Europe are / may be affected. In any case, on the fake page you get a message about the "modernization of the security system" and you are asked to install the mobile application:

Source: Check Point

This is how you recognize a fake bank page

The pages are mostly the same as pods, even the current security notice on the real Credit Suisse page, which one is on Phishing e-mails indicates can be accepted. However, here are three characteristics by which you can recognize a fake online banking site that is related to the Mac Trojan:

  Real Credit Suisse site Fake site for data theft
SSL Certificate "Credit Suisse Group AG (CH)" "Secure"
Authentication token in URL "Auth? ~ ..." "Auth? Language = ..."
Years in copyright 1997 – 2017 1997 – 2013

This is how redirecting to the fake page works

The OSX / Dok Trojan initially locates the victim using its IP address. Depending on the geo-position then the proxy selected, which redirects in the correct language to the C&C (Command and Control) server via the Tor network and the Dark Net. In other words: if a bank page is called up, the user does not come to the page on the bank's servers, but is directed to the fake page on the attackers' servers. If you want to see which bank URLs are affected, I recommend this overview from Check Point:

Source: Check Point

More information and tips

You can find even more information, notes and background information on the current threat for everyone who uses the Apple Mac for online banking in the linked articles from Check Point. There you will also find further graphics and details on the source code of the OSX / Dok trojan. Finally, I would like to suggest a few more articles from this blog:

Did you like the article and did the instructions on the blog help you? Then I would be happy if you the blog via a Steady Membership or at Patreon would support.

2 Kommentare zu „macOS Trojaner OSX/Dok installiert Messenger Signal und klaut Banking-Daten“

  1. Maybe you won't get this trojan until you go to Check Point. All very dubious.
    Separate multiple backups and slider for the camera, on the other hand, is a good tip and has been done by me for a long time.
    And I don't even react to emails from banks. I also don't understand how PayPal, for example, still sends the notice of a new account overview by email.

    1. Yes, that is the right attitude. Nothing really important comes from a bank via email. And certainly not an indication that the access data must be verified. Unfortunately, with PayPal you have the problem that information is sometimes sent by email. I would like them to have 2-factor authentication. That would make the story much less risky. LG! Jens

Post a comment

Your e-mail address will not be published. Required fields are marked with * marked

In the Sir Apfelot Blog you will find advice, instructions and reviews on Apple products such as the iPhone, iPad, Apple Watch, AirPods, iMac, Mac Pro, Mac Mini and Mac Studio.