Apple Macs Malware Caution
Antelope Audio has detected reoccurring malware on some Mac computers. We write this article to inform our Mac-based users to be cautious with this potential issue.
When using the Antelope Launcher, the malware prevents the user from updating or downloading anything from our server, causing the dropdown menus in the launcher to stay black. Whatever the users try to do, the communication remains broken. We advise all of our Mac users to verify this.
Here is what we discovered:
1) All HTTPS traffic has been suspect to MITM (man-in-the-middle) attack, and each website had a fake certificate "GoProxy untrusted MITM proxy Inc".
To verify this:
- Open Safari and navigate to www.google.com
- Click on the padlock icon
- It will open this window, where you need to press "Show Certificate"
- If you see the following, EVERYTHING IS FINE
- However, if you see this, YOU ARE EXPERIENCING THE ISSUE
2) We found out a malicious self-signed Root Certificate Authority called "Apple" (issued Maf1). This certificate is trusted by the system.
3) The DNS servers were also bogus (194.168.x.x).
4) Furthermore, after changing the DNS server to Cloudflare public DNS 184.108.40.206 and removing the certificate, the problem was resolved. However, after reboot, the self-signed Root CA appeared again, although untrusted.
We strongly suspect that there is possible malware. We tried scanning the system with various anti-virus apps, but unfortunately, it didn't show any problems.
The machines with this certificate have been compromised. Possibly all the network traffic has been captured by the malicious third-party certificate, and all entered passwords have been compromised as well.
We suggest that the users contact Apple support for further investigation.
The next action would be to wipe the disk and re-install the system. All passwords to sites that were visited should be changed immediately!
In the case of the Antelope Launcher, it stopped working because of the security measures we've taken for such attacks. Because of that, we were able to reveal that the system was compromised.
We wish the users quick recovery of their system and lots of productive hours with their Antelope equipment.