Mac OS has always been praised for being secure and less likely to be infected by malware.
Well, times have changed.
McAfee reports that malware attacks on Apple’s Mac computers were up 744% in 2016! And that number will continue climbing after reports of this new attack dubbed “OSX/Dok.”
What is OSX/DOK?
DOK is a new breed of “major scale” malware targeting macOS users. It’s defined as a “man-in-the-middle attack” that can bypass the Gatekeeper feature that’s designed to block malicious software.
According to the Malware Research team at CheckPoint, the fully-undetectable Mac malware has zero detections on VirusTotal and most other anti-virus programs. It also affects all versions of macOS.
It is currently being distributed via coordinated email phishing campaigns.
How Does it work?
As stated above, there are email phishing campaigns being executed right now and millions are getting emailed with a malicious file attached.
The malware file is contained in a .zip archive named “Dokument.zip.”
Once you receive the email, download the .zip file and open it, the malware copies itself to the /Users/Shared folder and then executes itself automatically every time the system reboots, until it finishes to install its payload.
The malware then creates a window on top of all other windows, displaying a message claiming that a security issue has been identified in the operating system and an update is available. You would then be prompted to enter your password.
Once you enter your password and “install the update,” the malware gains administrator privileges and changes your system network settings so that all outgoing connections pass through a pre-determined proxy. This proxy is linked to the dark web.
According to CheckPoint, “using those privileges, the malware will then install brew, a package manager for OS X, which will be used to install additional tools – TOR and SOCAT.”
DOK will also remove any trace of the original download from the /Downloads folder. Instead, you will now be presented with a “file could not be opened” error message.
How would this affect you?
This malware installs a root certificate into your Mac, which allow the attackers to intercept your traffic using a man-in-the-middle (MiTM) attack. This includes secure https traffic.
“As a result of all of the above actions, when attempting to surf the web, the user’s web browser will first ask the attacker web page on TOR for proxy settings,” the researchers say.
“The user traffic is then redirected through a proxy controlled by the attacker, who carries out a Man-In-the-Middle attack and impersonates the various sites the user attempts to surf. The attacker is free to read the victim’s traffic and tamper with it in any way they please.”
According to researchers, almost no antivirus has updated its signature database to detect the DOK OS X malware, as the malware deletes itself once it modifies proxy settings on the target machines for interceptions.
Am I infected now?
Probably not. Not unless you recently downloaded an email attachment named “Dokument.zip.”
To make sure, go to System Preferences → Network → Advanced → Proxies
If “Automatic Proxy Configuration” is checked and points to the malicious “127.0.0.1:5555” URL (as seen in the image above), your computer is infected. Delete that URL immediately.
How do I protect myself?
The simplest way to protect yourself from this DOK malware is to be extremely cautious when downloading email attachments.
I would only trust the files sent from family/friends or from someone you were expecting an email from.
The .zip file is called Dokument, but it could change names in the future, so be very aware.
Lastly, no anti-virus software has been updated to detect this DOK malware, so don’t rely on software. They will eventually get updated to detect it and Apple will also eventually revoke the false certificate, but until then, avoid email attachments if possible.