One example recently discovered by the research team appears to come from the Swiss Government, warning recipients that there were errors in their tax returns. Attached to this email is a file called “Dokument.zip.”
One of the intriguing things about the malware is that it’s digitally signed with a valid Apple developer’s certificate. These certificates are only issued to certified developers, and they’re important because they’re required in order to publish apps in the official Mac App Store. Also, because the presence of a signed certificate means that they can be installed without triggering security errors that would normally require a manual override.
All it takes to install the malicious code is to unzip the file. Once it’s unzipped, the software will modify the infected PC’s network settings and reroute web traffic through a proxy server located somewhere on the TOR network. A TOR client is installed automatically in the background when the file is unzipped.
From there, every move you make on the web is monitored, and your activity is reported in real time to whomever controls the software, allowing the hackers to steal a variety of personal data and logins.
What isn’t known at this time is whether the hackers provided false credentials and paid to get a developer’s certificate, or whether they stole one from an innocent third party. In either case, this new strain of malware is one of the most advanced security professionals have ever seen, and although Apple has patched their OS to nullify this threat, researchers warn that there may well be other strains of this code that remain undetected.