New macOS Malware ‘Dok’ Spreads through Phishing Emails; Undetected by Antivirus Apps

macOS has been considered to be relatively safer from malware and virus attacks compared to Windows. However, as per the research team of Check Point, that is no longer the case. A string of new malware attacks on macOS has surfaced online in recent times.

Dubbed OSX/Dok, the malware goes undetected by VirusTotal and other antivirus apps for macOS. Making matters worse, the malware is signed with a valid developer certificate from Apple. Check Point says that it is the first “major scale malware to target OS X users via a coordinated email phishing campaign.”

A Dok infected Mac gives attackers with complete access to their SSL encrypted communication, which is achieved by diverting the traffic through a malicious proxy server. For now, the malware seems to be widespread in Europe.

The malware spreads itself through a phishing email in which it is usually bundled in a zip archive called Dokument.zip. Once the file is executed, it will copy itself to the Shared folder of the user. Then, it proceeds to run some shell command at the end of which you will get an error saying the Package file is damaged. However, the malware has already done its job by then as it will then create a fake pop-up window, which cannot be closed and takes over the display completely, claiming that a new macOS update is available for a security issue identified in the OS.

The victim is barred from accessing any windows or using their machine in any way until they relent, enter the password and allow the malware to finish installing. Once they do, the malware gains administrator privileges on the victim’s machine.

The malware will then give the current user admin privileges immediately on demand without prompting for a password. This is done so that the malware won’t provoke constant admin password prompts when abusing its admin privileges with the sudo command.

The malware then changes the victim system’s network settings such that all outgoing connections will pass through a proxy, which is dynamically obtained from a Proxy AutoConfiguration (PAC) file sitting in a malicious server.

In the end, since this phishing attack and malware spreads itself when the user downloads a malicious file from the email, it is highly recommended that you only download files from trusted sources and emails to keep yourself safe online.

[Via Check Point]