Apple’s recent updates to XProtect and MRT covered not only OSX/Dok, the new Trojan discovered by Ofer Caspi of the Check Point malware research team, but a variant, named by Apple as OSX.Dok.B.
Now Adam Thomas of Malwarebytes Labs has discovered OSX.Dok.B, as detailed by Thomas Reed on the Malwarebytes Labs blog.
Thomas has shown that OSX.Dok.B is sufficiently different as to merit its own name, OSX.Bella. It uses the same phishing attack to deliver a concealed app masquerading as a document, Dokument.app, which is signed by the same developer certificate – which Apple has now revoked. On installation, it appears in /Users/Shared as AppStore.app, but soon differs from OSX.Dok.A: it installs a far nastier open-source backdoor written in Python, which goes by the euphemistic name of Bella.
Bella is cunning, and operated from C&C servers hosted in Moscow, Russia. This suggests that OSX.Dok.A and .B may have originated from the same source in Russia, and it is tempting to speculate that they are part of a targeted phishing campaign rather than a general attack on Mac users.
The good news is that Apple has closed this stable door: the abused developer certificate has been revoked, so Gatekeeper should refuse all attempts to run Dokument.app; XProtect looks for the malware signature, and again will block it effectively. If it does somehow circumvent those, then MRT should remove it effectively.
You’ll also find that all good Mac anti-virus protection should now be fully armed against both the Dok variants.