Macs usually aren’t the targets of malicious hackers, but a researcher at Malwarebytes discovered a new variant of the new OSX.dok Trojan that is installing a powerful, previously unknown backdoor malware on Macs. Adam Thomas of Malwarebytes found the variant and it was featured on the Malwarebytes blog yesterday.
The Trojan is delivered via a zipped app named “Dokument.app” that is allegedly a document. It’s signed with a revoked certificate, and after copying itself to /Users/Shared/AppStore.app, it displays an alert claiming that the app is damaged:
After clicking the OK button, the app closes and deletes itself after about a minute. However, in the meantime the OSX.dok Trojan delivers an open-source backdoor malware named Bella. What does Bella do? It allows surreptitious stealing of iMessage and SMS cat transcripts, location of devices via Find My iPhone and Find My Friends, phishing of passwords, stealing the keychain, capture of data from a Mac’s microphone and webcam, creation and copying of screenshots, and remote shell and screen sharing.
Even worse, Bella allows itself to grab root privileges by taking advantage of vulnerabilities in macOS 10.12.1 and earlier, or by phishing to grab an admin user password. Since it is backdoor malware that can be controlled remotely, Thomas traced the “Command and Control” IP address to a Russian hosting company.
Thomas notes that since the code signing certificate for the malware has been revoked, no one can be infected by this particular variant at this time. However, Bella is open-source and will probably be dropped onto Macs by other installer code in the future. There’s probably never been a better time to look at getting the free Malwarebytes app installed or consider one of the other apps such as ClamXav or Bitdefender.