New phishing campaign using OSX/Dok

London, UK – July 18, 2017 – Adversaries continue to improve OSX/Dok discovered at the end of April for banking credentials stealing. Researchers at Check Point report that a phishing campaign continues. It is combined with MiTM (Man-in-The-Middle) attack that allows intercepting all victim’s communications, even encrypted. The campaign targets MacOS users, who are confident in the security of the system.

Phishing email contains a malicious application attached to the email as a zip file. The virus disables system updates and signs the malware with a valid Apple certificate. Thus, it bypasses GateKeeper and installs into the system. Then, a Tor service is installed for C2 communications and proxy is used to redirect users from some European banks sites to a fake website on C2 server. Despite the fact that Apple blocks compromised certificates, adversaries get new ones and the campaign continues.

Malware OSX/Dok is ported from Windows, and it can be assumed that soon there will be new threats for the Mac, notorious for Windows users. OSX/Dok “acquires” additional tools, and it is uncertain how adversaries will use them in the near future. Since the malware uses Tor for communications with C2 servers, its presence on the corporate network can be uncovered with the DetectTor use case for ArcSight, Splunk and QRadar.