Another Mac attack: OSX/Dok malware spreads in Europe

As I’ve stated many times, some Mac users have a false sense of security with regard to their devices of choice. For whatever reason, there is still a persistent myth that Macs are inherently more secure than PCs. As a recent threat report from researchers at Checkpoint shows, this myth has been proven to be just that: a myth.

In the report written by Ofer Caspi, a new malware affecting Mac users in Europe, primarily Germany and Austria, was explored in great detail. Dubbed “OSX/Dok,” it is destructive in that it “affects all versions of OSX, has 0 detections on VirusTotal … is signed with a valid developer certificate (authenticated by Apple), and is the first major scale malware to target OSX users via a coordinated email phishing campaign.”

OSX/Dok seeks information, especially sensitive data that is sent over encrypted traffic. Post-infection analysis shows that the malware is capable of viewing any communication sent to and from the victim, even SSL-encrypted traffic. As Caspi points out, this is possible due to OSX/Dok pushing “victim traffic through a malicious proxy server.”

The phishing attack that is used to transfer OSX/Dok onto a system is, at the moment, based around exploiting anxiety regarding financial information. In the below German language correspondence, the threat actor attempts to use “inconsistencies” in tax returns to bait the would-be victim into opening the .zip file containing OSX/Dok.

OSX/Dok malware

Upon execution, the malware will copy itself into the /Users/Shared/ folder using the following shell commands outlined by the Checkpoint report:

OSX/Dok malware

It is at this point that the system is fully infected and forces a window onto the screen that prompts an “update” that will leverage full root privileges to the black hat attacking the system.

Phishing campaigns are one of the oldest tactics in a hacker’s arsenal, and it remains this way because there are always gullible individuals who take the bait. It should go without saying that running files from untrusted sources is dangerous, yet many still insist on doing so. Even though OSX/Dok is currently localized to Europe, it is inevitable that it will make the rounds on the Dark Web and go global. This is especially the case as it is a Mac-based malware that can be leveraged against ignorant users who believe their products are inherently “hack-proof.”

Photo credit: Pexels

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top