New “Dok” Mac OSX Malware Steals Sensitive Data

New malware able to spy on OSX users’ internet traffic, including https traffic, has been found targeting European users. The malware was previously not stopped by Apple’s Gatekeeper, and when discovered was not detected by anti-malware signature engines.

Called “Dok” (OSX/Dok) by Check Point, the malware combines phishing techniques and a valid developer certificate to effect a MITM attack capable of eavesdropping on all of the victim’s internet traffic.

The attack starts with a phishing email. In the example given by Check Point, a sample sent to a user in Germany was baited with supposed inconsistencies in the user’s tax returns. The email included an attachment, Dokument.zip, containing the malware bundle signed on April 21, 2017 by Seven Muller and called Truesteer.AppStore.

If activated, the malware copies itself to the /Users/Shared folder and executes. A pop-up message tells the user that the expected bundle was damaged and could not be opened; but the malware itself replaces any loginitem named ‘AppStore’ in order to gain persistence.

Further social engineering is then used to obtain the user’s password in order to complete the malware installation. It uses localization to pop-up a window in either English or German. The window overlays all other windows and claims that a security issue has been identified.

The user is asked to enter his or her password in order to obtain the necessary updates. This window persists, and the user is unable to do anything but comply. Even if the computer is restarted, the window will reappear. However, once the he or she enters the password, the malware obtains administrator privileges and installs the Homebrew command-line installation system. This is then used to download and install a Tor client and SOCAT.

OSX/Dok then uses its user-granted privileges to suppress further password prompts. It proceeds to install a new root certificate and alter the system’s network settings, redirecting traffic through a server hidden in Tor. This allows the hacker to intercept and read all outgoing traffic, even when legitimately encrypted with SSL. Because the server is located in Tor, the hacker remains anonymous.

The potential is serious. For consumers, login details for any accessed online service can be seen and stolen — including bank details. 

It is potentially more harmful for businesses. Thomas Reed, director of Mac offerings at Malwarebytes, comments: “The impact on business could be much more severe, as it could expose information that could allow an attacker to gain access to company resources. For example, consider the potential damage if, while infected, you visited an internal company page that provided instructions for how to connect to the company VPN and access internal company services. The malware would have sent all that information to the malicious proxy server.”

Apple has reacted swiftly. It revoked the developer certificate on April 28. Installation of this particular version should now be stopped by Gatekeeper. It has also pushed out silent updates that protect OSX users against two variants of the malware, OSX.Dok.A and OSX.Dok.B, and also against a new version of the intrusive adware known as OSX.Genieo.F.

While there should now be no new infections of this version of OSX/Dok, Reed warns that complete removal for anyone already infected is not simple. The malware makes many changes to the system, and even though its activity can be stopped, other changes could cause ongoing problems. “For people who don’t know their way around in the Terminal and the arcane corners of the system,” he suggests, “it would be wise to seek the assistance of an expert, or erase the hard drive and restore the system from a backup made prior to infection.” 

For businesses, he suggests, “If you have been infected by this malware in a business environment, you should consult with your IT department, so they can be aware of the risks and begin to mitigate them.”