Malware installs Signal as part of scheme to steal Mac users’ banking credentials

A harbinger of ported threats to come for Mac users?

David bisson
David Bisson
@
@DMBisson

Malware installs Signal as part of scheme to steal Mac users' banking credentials

New Mac malware is mysteriously pushing the Signal private-messaging app onto victims’ mobile devices as part of a scheme to steal their banking credentials.

The threat, which goes by the name OSX/Dok, uses phishing mail laden with a malicious application as its attack vector. Those who crafted this campaign purchase Apple certificates (US $99) to sign their malicious application. Such willingness helps the malware bypass Gatekeeper’s ever-watchful gaze.

Upon successful installation, OSX/Dok modifies the OS settings with a shell command that disables security updates. It also alters the local host file so that all communication with various Apple websites, as well as VirusTotal, gets redirected to the local machine. These changes prevent the machine from contacting outside services that the victim could use for detection and recovery.

Sign up to our free newsletter.
Security news, advice, and tips.

MacbookNext, OSX/Dok gets to work with its pre-show: a man-in-the-middle (MitM) attack designed to intercept the victim’s traffic. For this trick, it installs the Tor browser and a proxy before geolocating the hapless user and sending over some approximately proxy file settings.

Ofer Caspi of Check Point’s malware research team explains the point behind these efforts:

“The proxy file will redirect all traffic to the mentioned domains, used mainly by banks (such as ‘credit-suisse’, ‘globalance-bank’, ‘cbhbank’’ etc.) or other financial entities, to the local proxy that the malware had set up on the local machine. The proxy will then redirect it to the malicious C&C server on TOR (currently is ‘m665veffg3tqxoza.onion’). This way, once the victim tries to visit any of the listed sites, they will be redirected to a fake website on the attacker’s C&C server.”

Only after it has completed its MitM attack does OSX/Dok strap in for its main event. When the victim visits a web page for one of the targeted banks, they see a malicious copy of the actual bank’s website prompting them to download an application onto their mobile devices “for security reasons.”

The prompt to install a mobile phone application for security reasons.
The prompt to install a mobile phone application for security reasons.

If the user submits a working phone number, the attackers send them a link to download the mobile application. At this time, those behind this malware campaign are sending victims a link to Signal, the encrypted messaging app.

App install link

Caspi is not exactly sure why OSX/Dok’s handlers are pushing Signal onto victims. But he has a theory:

“It is possible that Signal installed on the victim’s mobile device would allow the attacker to communicate with the victim at a later stage, as the perpetrator is not necessarily active at the same time the victim reaches for the banking site. Using Signal may make it easier for the attacker to masquerade as the bank and trick the victim into providing the SMS they had received from the real bank , when the attacker tries to log in to the site (in case the credentials alone are not enough due to the 2FA). Similarly, the perpetrator might use Signal to commit additional fraudulent activities against victim at a later time. Whatever the goal may be, Signal will possibly make it harder for law enforcement to trace the attacker.”

Finally, the criminals then gain access to the victim’s bank account, at which point in time they can do whatever they want with it.

Troubling? Yes. Preventable? You betcha.

An isolated incident? Perhaps not for long.

As it turns out, OSX/Dok is copy of the Windows-based Retefe trojan. Attackers have simply ported the malware to macOS.

You see where this could be going? Let Caspi spell it out for you:

“The fact that the OSX/Dok is ported from Windows may point to a tendency. We believe more Windows malware will be ported to macOS, either due to the lower number of quality security products for macOS compared to the ones for Windows, or the rising popularity of Apple computers. According to Gartner, Macs have more than tripled their total market share in less than a decade.”

With the influx of macOS-based malware ported from Windows-based threats as a distinct possibility, it’s important that Mac users take some steps to protect their computers.

First of all, they need to lose that “holier-than-thou” attitude and realize EVERYONE – not just Windows users – are vulnerable to malware. Then the healing can begin with the installation of an anti-virus solution. And don’t forget to avoid suspicious links and email attachments!


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

12 comments on “Malware installs Signal as part of scheme to steal Mac users’ banking credentials”

  1. Bob King

    1. Use Chrome
    2. Install products from Objective-See.
    3. Don't listen to people who's only interest is to sell you a product you do not need.

  2. Kam Banwait

    Any recommendations on apps for Mac to scan for such apps?

    1. Graham CluleyGraham Cluley · in reply to Kam Banwait

      AV-Test.org recently put anti-virus products for Mac through their paces.

      Read https://www.av-test.org/en/news/news-single-view/10-antivirus-suites-for-macos-sierra-put-to-the-test/

      A number of vendors do free anti-virus software for Mac users, so read up and try them out!

  3. Nik

    It's just a ploy to sell snake oil, e.g. anti virus for Mac which is unneeded. AV for mac will not prevent human stupidity, e.g. clicking on a "malware laden" phishing email.

    If you click on an email link and install a program and then give the program administrator rights by entering your admin password, then nothing and no one can help you. You always have the right to compromise your own computer. And social engineering will always fool some.

    On windows, the first thing this malware will do is disable all the AV programs. I've also recently seen first hand that malware is stronger than AV software, I had some malware on a friends Windows computer that I could remove only by reinstalling Windows. I tried many different AV products, none of them actually removed the malware, it always found a way back in. This cost me 2 days of scanning, rebooting, deleting malware etc…

    For this reason I am not sure anyone needs AV on Windows either. It doesn't work. Same for Mac.

    1. Graham CluleyGraham Cluley · in reply to Nik

      Hi Nik.

      If only everyone was as smart as you and never clicked on a dangerous attachment or dodgy link.

      Unfortunately, people do make mistakes – all the time. And so anti-virus software serves as a helpful safety net for them, reducing the chances of a successful infection.

      Furthermore, anti-virus software helps reduce the chances of being hit a threat which requires zero user interaction (such as drive-by downloads, remote code execution attacks, etc)

      My recommendation is that people should run anti-virus software on their home and business computers – both Windows and Mac. There are some great solutions out there available for free for home users if you're worried that this is just "snake oil".

  4. Mike

    I've been hearing the "you're about to be over run" and "it's your turn now" with Malware warnings for a long time… Crickets… Nik is right – unless you're not too bright and you hand over unsolicited admin like hot cakes, you're fine.

    1. Graham CluleyGraham Cluley · in reply to Mike

      I'm not saying anyone is about to be over run. There's definitely much less malware written for Mac than there is for Windows or Android, but that doesn't mean Mac malware doesn't exist and doesn't infect users in the real world.

      There are plenty of examples of real life Mac malware infection. Feel free to do the research yourself, or check on other reputable sources of computer security information.

      As a starter, I recommend you check up on the Flashback malware which infected over 600,000 Macs including a few hundred at a company in Cupertino…

  5. Bob king

    New Mac malware is mysteriously pushing the Signal private-messaging app onto victims' mobile devices as part of a scheme to steal their banking credentials.

    Looks like it is for iOS not MacOS.

  6. Bob king

    Signal is not an MacOS app or at least I could not find it on the App store.

    1. Graham CluleyGraham Cluley · in reply to Bob king

      The malware is for Mac.

      It encourages you (for reasons best known to itself) to install the Signal app onto your mobile device.

  7. Alex

    AV test lists MacKeeper in that list of tested suites. MacKeeper is at best unwanted software from a very shady company and at worst actively malicious. I can’t take AV test seriously if they consider MacKeeper a legitimate security program. Other reputable security tools for the Macintosh platform detect and remove MacKeeper as unwanted garbage.

    1. Graham CluleyGraham Cluley · in reply to Alex

      If you read this website you'll see I've slagged off MacKeeper multiple times for its shoddy marketing practices.

      AV-Test.org, however, is only interested in the numbers. In short, how much malware can product XYZ detect?

      Reading AV-Test’s latest Mac comparison it's clear that MacKeeper dramatically underperforms its competitors when it comes to malware detection. Another nail in their coffin I expect.

      It's good that independent testing labs expose MacKeeper's poor performance. You shouldn't criticise AV-Test.org for doing that, especially if you're not a fan of MacKeeper in other areas.

Leave a Reply to Graham Cluley Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.