DOK MacOS Phishing
Image: Free Wallpaper Download.

Last week, the cyber security firm Check Point released a report on DOK, a new piece of malware that targets Mac users and affects all versions of OS X. Hackers have been distributing the malware via phishing, and they can track all your web traffic once your computer is infected.

DOK is the latest malicious software, specifically targeting Mac systems, that has been detected. It is somewhat of a common notion that Apple’s MacOS is a safe space in contrast to Microsoft’s Windows, but that is no longer the case.

According to the antivirus giant McAfee Labs, malware threats on Apple’s ecosystem increased nearly 750% last year, with almost 500,000 samples discovered by its researchers over that period. The tech giant has yet to release a statement about DOK.

About DOK

All Mac OS X versions are vulnerable to DOK infection, meaning that virtually all operating brand desktops and laptops are vulnerable to it. That includes both old and new iMac and MacBook devices.

Check Point researchers said the malware seems to be targeting European users in particular. The firm detected the threat in a German user’s computer, and it looks like it is spreading more prominently across the region.

How does it work and what does it do?

In the sample collected by the cyber security firm, DOK presented itself disguised in a .zip file attached to an email. The phishing email claimed to be from a government agency regarding an issue with the person’s tax returns.

Once the user downloads the file to see what it’s all about, the malware downloads itself covertly as well and installs itself into the /Users/Shared/ folder. From that location, it executes a command that prompts a fake security update.

The update forces the user to accept and run it, not letting them do anything else until they comply. The real objective behind the supposed security reinforcement is actually to gain administrative privileges and change the target’s system network settings.

Aside from changing configurations on the user’s end, DOK also installs TOR and a legitimate certificate verified by Apple that grants hackers the ability to perform a Man-in-The-Middle (MiTM) attack to trace and access all the web traffic on that computer.

Check Point details how these actions could have potentially disastrous consequences without the victim’s knowledge:

“WHEN ATTEMPTING TO SURF THE WEB, THE USER’S WEB BROWSER WILL FIRST ASK THE ATTACKER WEB PAGE ON TOR FOR PROXY SETTINGS. THE USER TRAFFIC IS THEN REDIRECTED THROUGH A PROXY CONTROLLED BY THE ATTACKER, WHO IS FREE TO READ THE VICTIM’S TRAFFIC AND TAMPER WITH IT IN ANY WAY THEY PLEASE.”

How can I avoid being infected by DOK?

If you are on Mac and worried about getting infected by DOK, just keeping an eye on any suspicious emails should suffice. Avoid downloading any fishy attachments and everything should be fine.

OS X’s Gatekeeper does not detect the threat because the malware contains a certificate that is legit to Apple’s eyes. VirusTotal cannot see it, which means that most if not all of the security systems you have installed in your computer can’t do it either.

Now that DOK has been identified, it shouldn’t take long for Apple to release a real security update that patches this hole in its defense.

Source: Check Point