New macOS Malware: OSX/Dok (updated)

Ofer Caspi, of the Check Point malware research team, has published details of new malware targeting macOS and OS X systems, which has been named OSX/Dok; it has also been named Spy.Dok.A elsewhere. As it gains access to all communications including those encrypted by SSL, and is signed with a valid developer certificate, it presents a serious threat to Mac users.

Currently this is being spread by a phishing attack, typically an email message concerning an issue such as tax returns. This has so far been targetted at mainly European users, and Check Point provides an example which was received in Germany, its message written in German. Attached to that is a Zip archive contained the malware’s installer posing as a document. When opened, that installs itself into the /Users/Shared folder, and runs a shell script to complete its installation.

Once fully installed, it appears as an app named located in /Users/Shared. There should, of course, be no such app there.

The app then presents an alert stating that the original enclosure couldn’t be opened, following which it adds itself as a Login Item which persists and runs automatically unless removed. It then creates a bogus information dialog claiming that OS X updates are available, and offers one option, to update all; this dialog blocks all other windows and apps.

It installs further components (including the Brew package manager, Tor, and Socat) and performs extensive surgery to network settings to divert all internet communications via its proxy server. This includes the installation of two further LaunchAgents, which are put in a spurious path /Users/_%User%_/Library/LaunchAgents.

This is a complex and sophisticated attack, not the work of an amateur. It is tempting to speculate that it might be part of a targetted phishing campaign, as we have seen recently against OS X / macOS users.

Anti-virus protection is now starting to detect it, but removal is likely to be a tougher proposition: Malwarebytes’ Anti-Malware should now detect it reliably, and other products should follow. It appears unlikely that the recent update to Apple’s MRT provides any protection from OSX/Dok. Apple has today revoked the developer certificate used to sign the installer, so that should be blocked by Gatekeeper.

In the meantime, be even more careful and suspicious with incoming messages. Objective-See’s BlockBlock does alert you to the complex installations and adjustments which Dok performs, and is therefore recommended for immediate protection.

Full information is on the Check Point website. Additional detail has also been provided by Thomas Reed at Malwarebytes Labs, who suggests ways to remove its detritus from an infected Mac.

(Updated 1850 UTC 29 April 2017.)