Check Point researchers have recently discovered a brand new malware targeting Mac users. The virus is called Dok and it might be the first major scale malware distributed via a well-coordinated email phishing campaign.
According to the experts at Check point, Dok malware affects all OSX versions and it cannot be detected by VirusTotal. However, the worst thing about the Mac virus is that it is signed with a valid developer certificate authenticated by the Apple company.
As soon as the device gets infected, the hackers gain full access to all the victim’s communications, including those encrypted by SSL.
The experts found that the Dok malware mostly targets users in Europe by using rather elaborate phishing technique. For example, a user from Germany received a message regarding a supposed inconsistency in their tax returns.
Dok malware is included in a .zip archive called Dokument.zip, signed by Seven Muller about a week ago. Being executed, the infection copies itself to the /Users/Shared/folder and starts executing itself. Then, a pop-up shows up, stating that the package is damaged and cannot actually execute.
In fact, in case there is a loginItem named “AppStore,” the malware deletes it and adds itself as such instead.
“The malicious application will then create a window on top of all other windows. This new window contains a message, claiming a security issue has been identified in the operating system that an update is available, and that to proceed with the update, the user has to enter a password as shown in the picture below. The malware checks the system localization, and supports messages in both German and English,” the Check Point team explains.
Being infected, users cannot access any windows or use the PC until they enter the password and the malware completes the installation. When this happens, the virus gets the admin privileges which it uses to install brew, a package manager for Macs. Then, TOR and SOCAT are installed.
“The malware then changes the victim system’s network settings such that all outgoing connections will pass through a proxy, which is dynamically obtained from a Proxy AutoConfiguration (PAC) file sitting in a malicious server,” the experts state.
After that, a new root certificate is installed on the infected device, letting the cybercriminals intercept the user’s traffic.
Dok malware is capable of impersonating any website without the knowledge of the victims.