The recent appearance of new malware affecting macOS, in two variants of OSX/Dok, seemed to be under control. Apple revoked the abused developer certificate being used to sign the malware, so enabling Gatekeeper to block any attempt to run the installer. Apple also added it to its XProtect and MRT data, to enable detection and removal.

The Check Point Research Team has just announced that it has detected “several new variants” of OSX/Dok which achieve the same interception of all communications. These use a different developer certificate which has just now been revoked by Apple. The developers have also concealed the malware more deeply, so that the XProtect update pushed out by Apple may no longer detect it.

Further pushed updates are expected to cope with these variants and the more recent Snake malware. In the meantime, I recommend that those who feel that they are at risk of attack by OSX/Dok should install Objective-See’s BlockBlock, which detects malware activity using different techniques, and therefore doesn’t need a ‘signature’, etc., to test against.

Full details are at the Check Point blog.

Until very recently, the abuse of developer certificates in macOS malware has been very limited. The speed with which the developers of OSX/Dok have been able to respond to Apple’s revocation suggests that this is a very well-resourced and managed project. State actors would seem most probable.