DOK malware surfaces for macOS platform, sneaks past Gatekeeper protection with valid Apple developer account

Posted by:
Date: Monday, May 1st, 2017, 05:06
Category: macOS, News, security, Software

In the age of Macs becoming more popular again, the amount of malware available for the macOS is on the rise.

According to the McAfee Labs, malware attacks on Apple’s Mac computers were up 744% in 2016, and its researchers have discovered nearly 460,000 Mac malware samples, which is still just a small part of overall Mac malware out in the wild.

The Malware Research team at CheckPoint has located a new piece of fully-undetectable Mac malware which apparently affects all versions of Mac OS X, has zero detections on VirusTotal and is “signed with a valid developer certificate (authenticated by Apple).”


The malware, which has been named “DOK”, is distributed through a coordinated email phishing campaign and is among the first pieces of malware to target macOS users.

DOK is designed to gain administration-level privileges and install a new root certificate on the target system, which allows attackers to intercept and gain complete access to all victim communication, including SSL encrypted traffic.

The phishing emails are disguised as a message regarding supposed inconsistencies in the users’ tax returns. Upon clicking on an attached .zip file, which contains the malware. The malware itself can bypass macOS’ Gatekeeper feature thanks to its valid developer certificate and copies itself to the /Users/Shared/ folder and then add to “loginItem” in order to make itself persistent, allowing it to execute automatically every time the system reboots, until it finishes to install its payload.

Once installed, the malware creates a window on top of all other windows, displaying a message claiming that a security issue has been identified in the operating system and an update is available, for which the user has to enter his/her password.

Following the users’ entry of their system password, the malware can recall this password, then changes the victim system’s network settings, allowing all outgoing connections to pass through a proxy.

DOK can then install additional tools – namely TOR and SOCAT – which will then be used by the malware. “The user traffic is then redirected through a proxy controlled by the attacker, who carries out a Man-In-the-Middle attack and impersonates the various sites the user attempts to surf. The attacker is free to read the victim’s traffic and tamper with it in any way they please.”

At present, almost no antivirus has updated its signature database to detect or remove DOK and the malware deletes itself once it modifies proxy settings on the target machines for interceptions.

Apple can resolve this issue just by revoking the developer certificate being abused by the malware author.

Users are recommended to avoid clicking on links contained in messages or emails from unknown sources and to be careful before providing their root password.

Stay tuned for additional details as they become available.

Via The Hacker News, McAffee Labs and CheckPoint

Recent Posts

Leave a Reply