Another Mac attack: OSX/Dok malware spreads in Europe

As I've stated many times, some Mac users have a false sense of security with regard to their devices of choice. For whatever reason, there is still a persistent myth that Macs are inherently more secure than PCs. As a recent threat report from researchers at Checkpoint shows, this myth has been proven to be just that: a myth.

In the report written by Ofer Caspi, a new malware affecting Mac users in Europe, primarily Germany and Austria, was explored in great detail. Dubbed "OSX/Dok," it is destructive in that it "affects all versions of OSX, has 0 detections on VirusTotal ... is signed with a valid developer certificate (authenticated by Apple), and is the first major scale malware to target OSX users via a coordinated email phishing campaign."

OSX/Dok seeks information, especially sensitive data that is sent over encrypted traffic. Post-infection analysis shows that the malware is capable of viewing any communication sent to and from the victim, even SSL-encrypted traffic. As Caspi points out, this is possible due to OSX/Dok pushing "victim traffic through a malicious proxy server."

The phishing attack that is used to transfer OSX/Dok onto a system is, at the moment, based around exploiting anxiety regarding financial information. In the below German language correspondence, the threat actor attempts to use "inconsistencies" in tax returns to bait the would-be victim into opening the .zip file containing OSX/Dok.


Upon execution, the malware will copy itself into the /Users/Shared/ folder using the following shell commands outlined by the Checkpoint report:

It is at this point that the system is fully infected and forces a window onto the screen that prompts an "update" that will leverage full root privileges to the black hat attacking the system.

Phishing campaigns are one of the oldest tactics in a hacker's arsenal, and it remains this way because there are always gullible individuals who take the bait. It should go without saying that running files from untrusted sources is dangerous, yet many still insist on doing so. Even though OSX/Dok is currently localized to Europe, it is inevitable that it will make the rounds on the Dark Web and go global. This is especially the case as it is a Mac-based malware that can be leveraged against ignorant users who believe their products are inherently "hack-proof."

Photo credit: Pexels

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

WordPress vulnerability puts 300,000 at risk for attack

A WordPress vulnerability that could affect 300,000 users has been identified and patched. By if admins don’t update, they remain…

1 hour ago

PowerShell jobs — because you have better things to do than wait

If you run PowerShell commands that take a while to complete, consider using PowerShell jobs, which will allow the command…

4 hours ago

Validating virtual networks rules in a Storage Account using PowerShell

Here’s a TechGenix Quick Tip on how to use PowerShell to retrieve a list of virtual network rules in a…

21 hours ago

Dell launches selection of new PCs, displays, and software

A line of new Dell PCs, with innovative tech capabilities like AI and 5G, are aimed at both personal and…

1 day ago

Exchange 2010 upgrade: Migrate or export mail to PST and start fresh?

If you’re on Exchange 2010, you will have to upgrade soon. And while starting from scratch with a new 2016…

1 day ago

How to repair PST files and import data back to Outlook or Office 365

If your business relies on Outlook, you can’t risk losing mailbox data because of PST files corruption. Here’s how to…

4 days ago