Checklist 36: Spring Malware Roundup

• Researchers uncover powerful new Mac malware, OSX.Dok.
• OSX.Bella: an open-sourced variation on Dok.
• The problem AppleScript creates for every Mac user.
• Well-known Russian malware may be headed for the Mac.
• Phishers exploited a basic Google Docs vulnerability to hit a million users.

With the midpoint of the year on the horizon, the spring of 2017 has already seen its fair share of news-making malware. With high profile attacks, outages, and more incidents making mainstream headlines, it’s getting even easier to see that malware isn’t just a problem for hardcore computer users — it’s something that can impact everyone. In today’s episode of The Checklist, we’ll break down the latest developments and cover what you need to know — and, where possible, how you can protect yourself. The first item on our list for today is a new and recently uncovered instance of Mac-specific malware.

Researchers uncover powerful new Mac malware, OSX.Dok. We talk a lot about the various types of malware that can affect your Mac, but Trojan horses remain one of the most dangerous and widespread threats. The easiest way for a hacker to gain access to your computer isn’t by exploiting vulnerabilities on the web — it’s simply by asking you to install it yourself! That’s the basic idea behind Trojans, of course; they disguise themselves to trick you into inviting them onto your system.

Near the end of April, security researchers from Check Point discovered a new Mac Trojan with some extensive capabilities. Dubbed OSX.Dok, it gets its name from the German word “Dokument” — named for the malware’s delivery vehicle, an infected ZIP file with the same name. Luckily, US users are unlikely to have encountered the initial spread of Dok in the wild. Its impact was largely limited to European users, and Apple was quick to revoke the developer certificate used by the hackers. We’ll come to more about that in a minute. Before that, what does Dok actually do, and how could one possibly infect their machine?

Rather than trying to target users by offering a deceptive download through a website, Dok spread via a sophisticated email phishing scheme. The attackers attached the ZIP file containing the malware to emails containing text designed to concern and dismay the user. In Check Point’s research, for example, one German user received a message claiming there was a problem with his taxes. The email then encourages the user to download the attached file for further information.

To some, this might sound suspicious right away — but it can be tough to tell the difference between a real email and a fake one. So, let’s say you download the file and unzip it. Now you would have a file called Dokument on your Mac. A savvy user might immediately recognize that it doesn’t use the right icon at all — in fact, the outdated thumbnail it uses has clear pixelation. It’s a poor effort on the attacker’s part, but unfortunately this “tell” isn’t enough. What if you tried to open the so-called document now? That’s where the real attack begins.

Users would normally receive an alert from the system when they try to open the file that it is an application and not a document as it claims. Should you click past this, you’d immediately see another system window saying that you can’t open the document due to corruption. This window isn’t a real dialog box, though; it’s a fake box created by the malware through AppleScript. We’ll also touch on that subject a bit later in today’s episode. Users can’t click away from this box; meanwhile, the malware has installed itself in your Shared folder, where it can re-infect your machine later on.

Dok acts like it’s going to install system updates at this point by displaying a fake “OS X updates” window. This window takes priority, staying on top of everything — even after a restart — until you press the button to begin updates. Now it asks for your password. If you put it in, the system becomes unresponsive again as Dok installs thousands of items behind your back.

Among the software dropped onto your Mac is a utility that allows the malware to install TOR, and a utility that allows TOR to connect to the dark web via command line entries. Next, it switches your network settings so that your Mac always requires the use of a proxy — and finally, it forges a very high-level security certificate, allowing the attacker to pretend to be any website the user visits.

The result of all this complex work is actually very simple: whenever you try to visit a website, the malware communicates with its dark web server and learns where to redirect your request. With the forged certificate in place, the attacker can now be a “man in the middle.” He’s standing between you and the real website you want to visit, pretending to be (and looking exactly like) your destination.

Any information you provide on the site will end up in the attacker’s hands, no matter whether you’re using HTTPS or not. With the root certificate compromised, no connection is truly secure now. The attacker has full access to anything you do while browsing. As a final touch, the malware deletes itself after installation completes, leaving your system with a wide-open door.

As we mentioned, Apple has already revoked the stolen developer certificate that let this Trojan fool Macs into allowing it to run as a legitimate piece of trusted software. Detection tools like MacScan 3 can detect and remove Dok from infected machines even though the chance of infection is slim. Otherwise, this version is now dead-on-arrival without a valid certificate. That’s the good news. The bad news is others have already created variants based on the general OSX.Dok framework.

OSX.Bella: an open-sourced variation on Dok. This was found just a few day after Dok. Researchers at MalwareBytes encountered a Trojan that uses the structure of Dok to deploy an entirely different payload. Rather than trying to intercept your web traffic, this version named OSX.Bella, has an even more nefarious target: a wealth of information on your Mac itself.

What makes Bella interesting, is that its main payload is open source. Anyone can go and look at the Python script powering Bella under the hood on the online code repository, GitHub. Before we talk about that, though, let’s do a quick breakdown of Bella and the data it wants to steal.

The initial attack vector is the same as with Dok: a spearphishing-style email encouraging you to download an attachment filled with important or time-sensitive documents. The “wrapper” for the malware is mostly the same. In fact, it even uses the same developer certificate that Dok uses. That means Bella can no longer infect any Macs now. However, hackers are always looking for new ways to forge or steal Apple’s trusted certificates so a new form of this threat could potentially come around again. Okay, so let’s say again you’ve downloaded this document and you’ve run it, like before. Now what?

A similar “damaged file” box pops up on your screen, but this version skips the fake macOS update window that Dok uses to conceal its installation activities. Instead, the malware installs the open source package we mentioned – that’s where it gets its name. Created by someone we only know by their GitHub handle, “Noah,” Bella is an expansive effort. Noah seems to have been developing nefarious Python scripts to target Mac data for some time. Bella brings all these scripts together into one package and ties them together with some extra functionality.

If you’re still running macOS 10.12.1 or earlier, Bella can exploit known vulnerabilities in the system to give itself root access over your computer. If you’ve stayed on top of things and kept your machine up to date, the malware simply tries to phish your admin password. Using AppleScript, it pops up a prompt asking for your password to complete a system operation. Success, in either case, means Bella would have free reign to let its scripts run wild on your machine.

At its most basic, it can record screenshots and send them home. However, it can also capture any information flowing from your microphone or webcam. That’s already a big breach of your privacy, but it’s just the start of what Noah has in store for those who might’ve fallen prey to Bella. It will also search for any available iMessage transcripts and SMS records. When it finds them, the malware packs them up and transmits them back across the Internet to its command and control server.

At its worst, Bella can use root access to find the decryption keys for your Keychain in the system memory. With these, it can unlock your passwords and send them to its maker. If Bella compromised business systems, that could equate to a huge potential for expensive damage. Even for a personal user, it’s a huge privacy breach. If you suspect you’ve encountered this malware, you should change your passwords immediately; with its sophisticated ability to extract data, you can not assume your logins are secure.

As one final trick, the malware can even use Find My iPhone to learn the whereabouts of your devices! It’s a good thing Apple was quick to revoke the certificate this application uses to fool Gatekeeper. However, remember that the source code for Bella is publicly available on GitHub. That means this likely isn’t the last we’ve seen of these malicious scripts. While the Dok dropper is a dead end, it wouldn’t surprise us if we saw Bella reappear inside another wrapper this year.

We should note that not all its malicious abilities require root access. Some of them are threats even with a basic user’s level of permissions. With that in mind, it’s important to remember how to protect yourself from Trojan horse threats. While hackers may try to trick us, most times it is easy to tell when we should avoid a download.

How many times have you received a legitimate email out of the blue with an attachment that wasn’t bogus? Probably never! Anyone who wants to share important information with you will probably find a more direct method than an unexpected email. Pay attention to Gatekeeper warnings, and put on the brakes if you ever start to open a file and receive a warning that it’s actually software.

A healthy level of suspicion for unknown files and content will keep your machine safe – and so will solid anti-malware protection. A part of what makes Bella so deceptive, though, is its ability to create dialog boxes via AppleScript. We mentioned this while discussing Dok. What is it that you should know about the potential dangers for this otherwise very useful Mac feature?

The problem AppleScript creates for every Mac user. Well, let’s start with the basics: what is AppleScript? AppleScript is a programming language that’s been bundled into the Mac since the early 90s. The idea is to provide users with an easy, understandable way to extend system functionality by coding in plain English.

For example, you might need to change the file names on a bunch of music files you imported from an old CD collection. You could write an AppleScript program to rename them as a batch according to certain rules. Another example: gathering input from the user to execute a search or return a specific type of response. Coding only takes a few minutes, and then in a few seconds you can do a task that might’ve taken hours otherwise. It’s a powerful tool, but unfortunately, one that can also suffer from abuse due to the way it can use the Mac GUI.

The problem is, AppleScript not only allows you to interact with the system, but also with a ton of other programs as well! You could create a short program to help organize bookmarks or to instruct your web browser to react to a system event of your choosing. This type of usage isn’t a problem. AppleScript can customize the window or dialog box you create, including what icon and title to use for it. The result is a dialog that one might easily mistake for a real prompt by the system.

This is the method that allows Bella to phish passwords from users. In fact, it’s very easy for someone to create a series of dialogs in AppleScript that closely mimics what you expect the actual system to do and look like. In a write up about this problem by Duo Security, they pointed out that a clever hacker might even create a series of Applescript-powered dialogs to fool users into giving up a password to “use” TouchID on the new MacBooks.

So how can you tell when you’re looking at a fake window? Unfortunately, there isn’t a surefire way to know for certain. With the right icon and header, there’s nothing to distinguish it from a legitimate prompt you’d see from the system. However, English isn’t always a malware author’s first language. You might see typos or other errors that could tip you off to the ruse on your screen. Overall, though, you’ll need to rely on good old-fashioned caution and vigilance. Until Apple comes up with a way to prevent misuse of this feature, the danger will remain for every Mac user.

When you encounter a dialog box you didn’t expect, ask yourself a few questions. First: did I do anything that would logically make this box appear? That might be trying to work with FileVault or Time Machine, for example. Second: is this the kind of program that usually prompts me for things? iTunes asking for authentication out of the blue is a good example of something you wouldn’t normally encounter. A program that never prompts you for information would be even more suspicious.

In a very recent example, the popular video encoding software, Handbrake, had their one of their download servers compromised. The hijackers infected the legitimate app with their own Trojan. The app downloaded and installed exactly as expected, but when the user ran it the trojan would ask for administrator privileges. This is not something Handbrake would normally ask for or need. Handbrake has since cleaned their download server so users don’t have to worry about this issue as of May 6th. But again, be on the lookout for apps asking for permissions when they wouldn’t normally need them.

One final question: is there any good reason this program needs a password? Most of the time, the answer is no. That should tell you everything you need to know about a dialog box’s legitimacy. If you avoid malware infections in the first place, it’s not a problem – but the reality is that misuse of AppleScript poses a potential threat to every Mac user. We’ll be watching to see if and how Apple takes steps to fix this problem.

Well-known Russian malware may be headed for the Mac. Not all malware aims itself at everyday users or seeks relatively mundane information like usernames and passwords. History has already shown us several examples of malware deployed as a tool of sabotage, as was the case with the Stuxnet worm. Malware researchers pay close attention to major and advanced threats that have a footprint spread among computers around the world. These “advanced persistent threats,” or APTs as they’re called, are the source of some of the nastiest malware on the Internet.

Researchers know one of these as the “Snake” malware. It’s also sometimes called Turla, after the APT presumed responsible for it, and others know it as “Uroboros” – that’s the snake that’s stuck eating its own tail forever. Whatever we call it, it’s a very powerful spyware rootkit with the capability to exert huge control over an infected system. Up until very recently, it was mostly on Windows machines, though it had been found on Linux machines as well.

Most of the targets of these windows attacks are government or military computers. For example, the government of Belgium suffered a Snake infection at one point, and computers in the US have been known to be infected also. Snake has also been discovered snooping on computers inside the Ukrainian government. It shouldn’t come as any surprise that most researchers tie Snake to unknown Russian government entities.

So, what does this Windows malware have to do with Macs? Unfortunately, it seems that efforts may be underway to develop a working version of this spyware kit for macOS. Researchers from Fox-IT found a developmental version of Snake using a fake Adobe Flash Player update as a dropper. It works quite similarly to Dok. Snake is usually distributed via phishing emails with an attachment. That should be a red flag on its own: when have you ever updated software through an email attachment?

Snake also uses a stolen certificate to bypass Gatekeeper. However, the version analyzed by Fox-IT was clearly a non-functional test version. Several areas in the code still contained placeholder values. Debug functionality was also present, and the signature on the certificate is several months old at this point. It’s not likely that it’s out in the wild in a working format yet.

While we can’t say for sure when or if Snake will make its debut in a fully functional form on Macs, this is one story to watch. It’s clear that macOS is becoming a bigger target for APTs, though, with this campaign’s targeted focus, the average user is unlikely to encounter Snake. We’ll be sure to update you with any new developments as they happen.

Phishers exploited a basic Google Docs vulnerability to hit a million users. Our final topic today concerns a story you might have already heard about on the news. It’s hard to avoid making headlines when a phishing campaign “goes viral” and strikes tons of users. That’s just what happened when someone launched a phishing campaign that was deceptively simple in design. The goal: prey on the inherent trust users place in Google.

A typical Google Docs phishing scheme is relatively easy to detect. You receive a link from someone, either in a message or via email, and the page that results is a fake login form. You could see a similar type of faux-website hosted on Dropbox or another cloud storage service. In this case, a quick look at your address bar tells you everything you need to know: it’s not a real Google page, just a hosted document.

The attack that made waves recently, though, was very different. First, you would receive an email from a friend on your contacts list with the typical message about sharing a Google Doc with you. Inside the email is the “View on Docs” button, but upon clicking, you don’t arrive at a document. Instead, you’re taken to an actual Google authorization form – because you’re interfacing with a web app deceptively named “Google Docs.” The message you see after selecting which account you’re using is something you might normally expect: “Google Docs would like to read, send, delete, and manage your email.”

Well, you might not expect that particular message. But we’ve all granted other types of access to legitimate apps to help us manage our email or extend Google’s functionality. It also asks to manage your contacts. So, if you click accept, suddenly you’ve given this app free reign over your entire email account. It can now use it to bombard all your contacts with the same link while using your account to send spam. If you were a victim of this attack, revoking access is easy. Just visit the page for your connected apps in your Google account and remove the fake “Google Docs” app.

Google has since blocked this app, but the actual issue remains. The only way to see right away that an app is not legitimate and using a fake name is to check the developer of the app. Unfortunately, even though it only takes one click on the authorization page, it’s not an intuitive element of the user interface and is very easy to miss. That makes it all too easy for someone clicking quickly and following a typical pattern of behavior to grant access to a malicious or deceptive app accidentally.

Google was warned years in advance of this particular attack vector. Hopefully, the high-profile nature of this event will spur some action towards better securing the app authorization process. Putting an end to the ability for third party developers to use names like “Google Docs” would be a good first step. At the same time, this is another good reminder to always pay close attention to what you authorize. Whenever an app wants access to something in your Google account, review its request very closely – it can’t falsify what it wants to access, at least. Click on the name of the app to see the developer and verify they are trustworthy too. These simple steps can help us prevent another widespread problem like this.

That’s everything we have for today’s episode of The Checklist. Most of the malware we’ve discussed today has been neutralized, but you can be sure 2017 is just getting started with news-making malware. Whether we’ll see the Snake malware become fully functional, or encounter more phishing attempts with AppleScript remains to be seen. As always, you should exercise caution and schedule a regular anti-malware scan. Thanks to our listeners for joining in again, and don’t forget to come back again next week when we’ll have a brand-new topic to discuss.

If you’d like more information on this topic, or if there’s a specific one you’d like to see us cover in the future, send us an e-mail at checklist@securemac.com!