Researchers have unearthed a new sample of Mac Malware which is more sophisticated and insidious than previously discovered pieces. The malware has been dubbed OSX.Dok or Dok Malware, and has been used in attacks on European users, targeted via convincing fake emails. The suspicious email attachment carrying the malware is Dokument.zip.
OSX.Dok Technical Overview
The targeted user is lured into opening the Dokument.zip attachment which is in fact an application not a document. In case the potential victim interacts with it, several silent changes will take place on their system. The end goal here is the setup of a malicious proxy server, which could enable the attacker to gain complete access to all communication of the victim.
Malwarebytes researchers say that OSX.Dok uses sophisticated methods to monitor and potentially alter all HTTP and HTTPS traffic to and from the infected Mac machine. The malware could be capable of capturing account credentials for websites users log into. This could lead to various negative outcomes including theft of money or data. Furthermore, the malware could modify the sent and received data so that users are redirected to malicious websites.
In short, the infection process goes like this:
- The potential victim runs the document but it doesn’t open.
- A fake notification shows up saying that the file is damaged or uses an unrecognizable file format.
- In the meantime, the malware copies itself to the /Users/Shared/ folder and adds itself to the user’s login items.
- This way it will re-open at the next login and will continue the process of infecting the targeted Mac.
- Once this is done, another fake prompt is displayed urging the victim to install a critical OS update which will not disappear until the victim clicks on the Update All button and enter the admin password.
Further down the infection chain, OSX.Dok will modify the /private/etc/sudoers file to obtain prolonged root-level permission without needing to prompt the user to enter his admin password each and every time. The malware also installs several macOS command-line dev tools. TOR and SOCAT are also installed, as well as a new trusted root certificate in the system. This way the malware can impersonate any website.
The last step here is the self-deletion. The malware deletes itself from the /Users/Shared/ folder.
Unfortunately, this is not the only instance of the malware caught by researchers. Another variant doesn’t use the fake OS X update routine but instead installs an open source backdoor dubbed Bella. Bella is available on GitHub.
Mitigations against OSX.Dok
Fortunately, the valid developer certificate employed by the malware has been revoked by Apple. This means that potential new victims will not be affected as they will not be able to open the application. This doesn’t stop new versions of the malware from assigning a new certificate, though.
Victims of the malware should erase the hard drive and restore the system from a backup available from before the infection. If the user is not tech-savvy, they should consider contacting an expert.
In addition, researchers say that the malware can be removed by removing the two LaunchAgents files. However, there may be leftover files and modifications which will not be easy to reverse.