A new Mac malware affects all versions of MacOS and is signed with a valid developer certificate authenticated by Apple.
The malware is being disseminated through an email phishing campaign. The hackers send an email saying that there’s issues with your tax return, with details in a .zip file attached. When you try to open the .zip folder, the malware package instead installs a small executable named AppStore.
That program then runs every time you boot the computer up, until the full malware package has been installed. Once that happens, users will see a fake macOS update page which looks decently close to the real thing. The “update” page sits on top of every other window, and prevents you from using your computer until you hit update.
Once you hit update, you’re prompted to enter your password. That’s where the really nasty stuff starts. Using the administrator privileges just granted, the malware installs dark-web surfing program Tor, and changes your web settings using a developer certificate, so all your web traffic gets routed through a third-party proxy server.
With all that established, the attacker can see and modify all your web browsing behavior, including any data sent over encrypted web links that would normally be secure. With that kind of access and a little time, the attacker will be able to steal most people’s login info for every site, online banking details, and anything else you can really think of.
The latest discovery of malware, which appears to target predominantly European users, underlines the fact that Macs are not immune to the threat as is sometimes supposed. As always, users should avoid clicking links or downloading attachments in emails from unknown and untrusted sources.