You are using an outdated browser. Please upgrade your browser to improve your experience.

Don't Get Caught by the Tricky 'Dok' Mac Malware

Signed Apple Developer Certificates Don't Mean You're Safe
Security
April 28, 2017

Many people assume that Mac computers are immune from malware. Apple has developed a strong operating system in OS X and macOS, but the sad truth is that no computer software is completely safe from viruses and other malicious pieces of software. A new strain of Mac malware masks its danger behind the supposed safety of an Apple developer certificate. The news comes to us courtesy of AppleInsider.

This 'Dok' Isn't What You Think It Is

This 'Dok' Isn't What You Think It Is
This fake OS X update window is just the first step in infecting your Mac

This fake OS X update window is just the first step in infecting your Mac

This Mac malware, codenamed “Dok” by security firm Check Point, will supposedly affect “all versions” of macOS and OS X. Once the software is installed, is allows the attackers complete access to all of your computer’s internet traffic, even when that communication is supposed to be encrypted by SSL. This is accomplished by rerouting traffic through a malicious proxy server, which gives the attackers a snooping eye into everything you do on the internet.

A phishing email looks like it comes from a reputable authority, and tries to get you to reveal sensitive information like your password, credit card number, and the like. In this case, it attempts to get you to install a supposed security update for macOS/OS X.

The malware spreads by way of a coordinated phishing campaign, and is mostly targeted at European users (for now.) One example was a German-language email from a supposed Swiss official, claiming there were inconsistencies in the victim’s latest tax return. Within such an email will be an archive called Dokument.zip that attempts to install the malware, using a signed Apple developer certificate to bypass Apple’s Gatekeeper security software. The Gatekeeper component of OS X and macOS slows users down from installing software that isn’t from a known developer.

At some point during the malware’s installation, the victim sees a window on top of everything else claiming a security issue has been identified, but an update is available. It’s known to support messages in both German and English, and encourages the victim to install the supposed “update.” Once the Mac malware is installed, everything the victim does online is routed through the hackers’ proxy server, allowing the attackers to obtain personal information like passwords, credit card numbers, and more.

It's Still a Tough Pill to Deliver

It's Still a Tough Pill to Deliver

Even with the valid Apple developer certificate, the Dok Mac malware is still tough to deliver and infection might not be likely. Victims have to choose to download the attachment, and then enter their root password twice during the installation. What’s troubling, though, is that this software is able to use that valid Apple developer certificate, belonging to a “Seven Muller.”

All this to say that our Macs aren’t as safe and secure as we wish they were. We have to be diligent about email attachments, and it’s probably a good idea to use antivirus and anti-malware software at all times. Fortunately, the attack doesn’t seem to affect iOS users at this time, so at least the iPhone remains safe from Dok right now.