Trojan uses man in the middle attack to intercept all communications including SSL traffic
Update: Apple has taken quick action in this matter and has revoked the developer certificate Dok was using. Now users will get a notification when the program is trying to install. However, be cautious as Gatekeeper is not infallible.
From a security standpoint, Apple computers are relatively safe from viruses and other malware. However, they are not immune. Researchers at the IT security company Check Point Software Technologies have discovered a new malware that targets Mac OS. The malware called OSX/Dok can infect all versions of Mac OS and is new enough that no virus definitions exist for it at the time of this writing. It is particularly sneaky because it uses a valid developer certificate to get around Gatekeeper, Mac’s internal security measure that will prevent an unsigned app from running without permission.
Dok’s only real weakness is its vector into a system. The malware relies on users falling for a phishing scam. An example provided by Check Point showed an email to a German user notifying him of an error on his tax returns. The email contains a document that reportedly has a series of questions and the telephone number of the tax professional, but the file is actually the malware.
“The lesson here is one that is taught over and over by many IT professionals: Do not open attachments from anyone unless you are already expecting that attachment and know what is in it.”
“The malware bundle is contained in a .zip archive named Dokument.zip. It was signed on April 21th, 2017 by a “Seven Muller” and the bundle name is Truesteer.AppStore,” states the IT security firm.
Once in the malware takes several steps culminating in a popup that forces the user to enter their password and thus granting the app root privileges. The popup cannot be closed, and no other windows are accessible until the password is entered. Once the malware has root access, it takes several more steps autonomously in the background and ultimately gains access to all of the victim’s communication including traffic encrypted by SSL. The software redirects traffic through a malicious proxy server so the hackers can use a “Man in The Middle” attack to impersonate any website without the victim knowing.
It is a very damaging and dangerous trojan if it gets in, but again, one must fall for the phishing scheme first. Fortunately, iMore has published steps for removing Dok should one become infected.
The lesson here is one that is taught over and over by many IT professionals: Do not open attachments from anyone unless you are already expecting that attachment and know what is in it.