Apple has revoked the legitimate developer certificate used by a sophisticated Mac trojan that can listen in on encrypted communications—even as a more advanced variant has emerged.
The OSX/Dok malware, discovered last week by Check Point, is a dropper that masquerades as a zipped document signed with the now-revoked certificate. Once opened, it installs on the targeted Mac and then fetches additional malware designed to intercept all HTTP and HTTPS traffic.
This week, after Check Point’s initial discovery, Adam Thomas, a Malwarebytes researcher, found a variant of the OSX.Dok dropper that behaves altogether differently and installs a completely different payload—one with more advanced capabilities. This variant, dubbed Bella, has the same form as the dropper for OSX.Dok—a zipped app named Dokument.app, masquerading as a document, and is signed with the same certificate.
Bella can exfiltrate iMessage and SMS transcripts, locate devices via Find My iPhone and Find My Friends; phish passwords; capture data from the microphone and webcam; take screenshots; and remote shell and screen sharing. Bella also includes the capability to escalate to root privileges. Business users should be aware that this malware could exfiltrate a large amount of company data, including passwords, code-signing certificates, hardware locations and much more.
While Apple has addressed the certificate aspect of the issue, defanging both Bella and OSX.Dok, this is unlikely the end of the malware.
“Since the code signing certificate on the Dokument.app dropper for this malware has been revoked, no one can be newly-infected by this particular variant of this malware at this point,” said Thomas Reed, director of Mac products at Malwarebytes, in a blog. “However, since Bella is open-source and surprisingly powerful for a Python script, it’s quite likely it will be dropped by other malicious installers in the future.”
It should be noted that the computing giant has also pushed out an update for its XProtect built-in security software to account for OSX/Dok attacks and others like them.