Security Experts:

'Dok' Mac Malware Used to Target Swiss Banks

The cybercriminals behind the campaign known as Operation Emmental have apparently started targeting the customers of Swiss banks using a variant of the Mac OS X malware tracked as Dok.

Operation Emmental has been around since at least 2012 and the individuals who run it – experts determined that they are likely Russian speakers – have continued to improve their malware. The group has been known to leverage Android malware, designed to bypass two-factor authentication (2FA) and lock victims out of their smartphones, and a Windows banking Trojan tracked as Retefe and WERDLOD.

However, researchers believe a variant of the Dok malware has also been used in Operation Emmental to target Swiss banks.

Dok, a piece of malware typically delivered via email, is designed to spy on victims by installing a new root certificate and modifying the infected device’s network settings in order to redirect traffic through Tor.

According to Trend Micro, in the Operation Emmental attacks, the malware is configured to hijack traffic only if the victim’s external IP is located in Switzerland. Tracked by the security firm as OSX_DOK.C, the Trojan redirects users to a fake online banking login page if they visit the website of a financial organization whose domain is specified in a hardcoded list.

An analysis by Trend Micro and others showed that Dok actually appears to be the Mac version of Retefe/WERDLOD. Experts pointed out that both pieces of malware kill the web browser process before installing fake certificates, they share proxy settings and script formats, and they target mostly the same Swiss banks.

“Given the connection between WERDLOD and OSX_DOK.C, it is reasonable to assume that the latter is also a part of the Operational Emmental campaign,” Trend Micro researchers said in a blog post.

The security firm also pointed out that more recent versions of the Dok malware leverage a bug in the Ultimate Packer for Executables (UPX) tool to pack the Trojan and make it more difficult for security products to detect the threat.

Related Reading: Russian Hackers Infected 1 Million Phones With Banking Trojan

Related Reading: Turla Cyberspies Developing Mac OS X Malware

Related Reading: Software Download Mirror Distributes Mac Malware

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.