Another Mac attack: OSX/Dok malware spreads in Europe

As I've stated many times, some Mac users have a false sense of security with regard to their devices of choice. For whatever reason, there is still a persistent myth that Macs are inherently more secure than PCs. As a recent threat report from researchers at Checkpoint shows, this myth has been proven to be just that: a myth.

In the report written by Ofer Caspi, a new malware affecting Mac users in Europe, primarily Germany and Austria, was explored in great detail. Dubbed "OSX/Dok," it is destructive in that it "affects all versions of OSX, has 0 detections on VirusTotal ... is signed with a valid developer certificate (authenticated by Apple), and is the first major scale malware to target OSX users via a coordinated email phishing campaign."

OSX/Dok seeks information, especially sensitive data that is sent over encrypted traffic. Post-infection analysis shows that the malware is capable of viewing any communication sent to and from the victim, even SSL-encrypted traffic. As Caspi points out, this is possible due to OSX/Dok pushing "victim traffic through a malicious proxy server."

The phishing attack that is used to transfer OSX/Dok onto a system is, at the moment, based around exploiting anxiety regarding financial information. In the below German language correspondence, the threat actor attempts to use "inconsistencies" in tax returns to bait the would-be victim into opening the .zip file containing OSX/Dok.


Upon execution, the malware will copy itself into the /Users/Shared/ folder using the following shell commands outlined by the Checkpoint report:

It is at this point that the system is fully infected and forces a window onto the screen that prompts an "update" that will leverage full root privileges to the black hat attacking the system.

Phishing campaigns are one of the oldest tactics in a hacker's arsenal, and it remains this way because there are always gullible individuals who take the bait. It should go without saying that running files from untrusted sources is dangerous, yet many still insist on doing so. Even though OSX/Dok is currently localized to Europe, it is inevitable that it will make the rounds on the Dark Web and go global. This is especially the case as it is a Mac-based malware that can be leveraged against ignorant users who believe their products are inherently "hack-proof."

Photo credit: Pexels

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Diebold Nixdorf ATMs targeted by jackpotting attacks

ATM manufacturer Diebold Nixdorf says its European machines are being hit by jackpotting attacks, where…

13 hours ago

Allow a home computer to connect to your Azure SQL server/database

In these days where remote computing has become crucial, you can connect your home computer…

17 hours ago

Migrating to Microsoft 365? Get the ball rolling with a trial tenant

Many companies still using Exchange Server are thinking of moving to Microsoft 365. You can…

20 hours ago

wpDiscuz WordPress plugin: Critical vulnerability found and patched

Users of the wpDiscuz interactive comment WordPress plugin should implement a new patch as soon…

2 days ago

Data lifecycle management: Policies and procedures for security and compliance

With the amount of electronic information consistently growing, data lifecycle management is crucial for compliance…

2 days ago

Deploy Windows from the cloud to on-premises hardware? Yes, you can

Wouldn’t it be nice if you could deploy Windows from the cloud while sipping an…

5 days ago