Mac Users Face New Malware Called Dok That Can Attack All Versions Of OS X

1 May 2017, 11:19 pm EDT By Steve Bowman Tech Times
A new malware dubbed Dok was detected for systems running Mac OS X. The malicious app is primarily targeted at European users and spreads via an email phishing scam.  ( Justin Sullivan | Getty Images )

Mac users assume that their operating system — OS X — is relatively safe from attack from different malwares. However, the belief doesn't seem to be holding much ground as Check Point malware research found a new malware dubbed OSX/Dok.

Dok apparently affects all the versions of OS X and had 0 detections on VirusTotal at the time of writing. The malware signs into the Mac system with an Apple authenticated developer certificate. Dok is the first major malware that has been developed to target Mac users. Dok is being spread worldwide using a coordinated email phishing scam.

Dok Malware Targets Mac Users With Email Scams

Once Dok infects a Mac system, the hackers take complete control over the victim's communication channels including those encrypted by SSL. This feat is achieved by redirecting the victim's traffic through a malicious proxy server.

The Dok malware targets Mac users based in Europe. A viral phishing message was sent to a Mac user in Germany and stated that the user had inconsistencies in their tax returns. Such messages often create panic and the victim unwittingly opens the email without probing further.

How Does The Dok Malware Work?

The Dok malware is sent to the user hidden in a .zip archive named The fake mail states that the attachments are confidential and need to be downloaded for viewing.

Once the victim downloads the file from the email, the malicious file copies itself to the /Users/Shared/ folder. Dok malware then executes a series of shell commands and runs itself from a new location.

Once the malware is executed, a fake message pops-up for the victim. This message notes that "the package is damaged" and, therefore, the command cannot be executed. If a "loginItem" named "AppStore" exists on the Mac's system, it will be deleted by Dok. The malware will then execute itself in place of "AppStore."

Once Dok replaces the loginItem, it will stay in the system and run automatically every time the Mac's system reboots until the payload installation is complete. Once the malware is installed on the system, it will create a new window over all other windows.

This newly-created window comes with a message alerting the user of a security issue that has been detected in the operating system. It will also inform the user that a new update for the Mac system is available and will insist that the user install the same as soon as possible. To update the system, one will be prompted to enter a password. Interestingly, Dok malware will provide the user the password.

How Dok Handicaps Victims

Until the victim starts the update process, he or she will not be allowed to access any of the other windows or any other part of the system. Access is only granted if the victim keys in the password which Dok provided.

Once the victim types the password on the fake update window, Dok gets all the administrator privileges of the machine, which previously were restricted to the victim. With the help of these privileges, the malware installs a package manager for OS X dubbed brew. This package assists the malware in installing additional tools like SOCAT and TOR.

Once the malicious app gets a hold on the machine, it will share the administrative privileges with the user as well to avoid constant admin password prompts. It will then redirect the victim's web browsing data to a proxy server.

How To Protect The System Against Dok Malware Attack?

Malware usually infiltrate a system via a phishing attack and, therefore, detection of the infection is easy. It is advisable to not download attachments from any email that comes from an unknown or suspicious source. Unless one is absolutely certain of the email's authenticity, it is best not to download the attachments.

Also, check the name of the attached file before download the same. If it is called Dokument.ZIP, it's better to steer clear of the email completely.

© 2017 Tech Times, All rights reserved. Do not reproduce without permission.

From Our Sponsor

How To Shop Smart: 5 Characteristics Of A Smart Shopper

You may love shopping, you may be a bargain hunter....but are you a smart shopper?