DOK malware, a stealthy MAC OS spyware that inspects your HTTPS Traffic

Pierluigi Paganini April 28, 2017

DOK Malware is a stealthy malicious code recently discovered by researchers at security firm CheckPoint, it affects almost ant Mac OS X version.

Malware researchers at CheckPoint firm have discovered a new stealth Mac malware dubbed DOK that affects almost ant Mac OS X version. At the time of its discovery, the DOK malware has zero detections on VirusTotal and researchers highlighted that the malicious code is “signed with a valid developer certificate (authenticated by Apple).”

The DOK malware is being distributed via phishing emails, the researchers added that this is the first major scale malware to target macOS users.

“This new malware – dubbed OSX/Dok — affects all versions of OSX, has 0 detections on VirusTotal (as of the writing of these words), is signed with a valid developer certificate (authenticated by Apple), and is the first major scale malware to target OSX users via a coordinated email phishing campaign.” states the analysis published by CheckPoint.

Once the malware infects a macOS system, it gains administrative privileges and install a new root certificate. The root certificate allows the malicious code to intercept all victim’s communications, including SSL encrypted traffic.
“Once OSX/Dok infection is complete, the attackers gain complete access to all victim communication, including communication encrypted by SSL. This is done by redirecting victim traffic through a malicious proxy server.” continues the analysis.

The DOK malware was used to target European users, in a case reported by the researchers, a German user received a phishing message regarding supposed inconsistencies in tax returns.

The phishing messages trick victims into opening an attached malicious .zip file, which contains the malicious code.

The use of a malicious code signed with a valid developer certificate allows it to bypass the Apple Gatekeeper defense mechanism.

Once installed, the DOK malware copies itself to the /Users/Shared/ folder and then gain persistence by adding to “loginItem.” in this way it will be executed automatically every time the system reboots.

At this point, the malicious code creates a window on top of all other windows, displaying a message claiming that a security problem has been detected in the operating system and an update is available, it requests victims to enter his password.

When the victim installs the fake update, the DOK malware gains administrator privileges on the target and modifies system’s network settings in order to set up a proxy used for the outgoing traffic inspection.

DOK malware MacOS

“The victim is barred from accessing any windows or using their machine in any way until they relent, enter the password and allow the malware to finish installing. Once they do, the malware gains administrator privileges on the victim’s machine.

Using those privileges, the malware will then install Tor, the latter is a low-level command-line utility that allows connection to the dark web.” continues the analysis.

“The malware will then give the current user admin privileges immediately on demand without prompting for a password. This is done so that the malware won’t provoke constant admin password prompts when abusing its admin privileges with the sudo command. This is done by adding the following line to /etc/sudoers:


At this point, the malware installs a new root certificate in the infected Mac, which allows the attacker to intercept the victim’s traffic using a man-in-the-middle (MiTM) attack.

“As a result of all of the above actions, when attempting to surf the web, the user’s web browser will first ask the attacker web page on TOR for proxy settings,” the researchers say.

“The user traffic is then redirected through a proxy controlled by the attacker, who carries out a Man-In-the-Middle attack and impersonates the various sites the user attempts to surf. The attacker is free to read the victim’s traffic and tamper with it in any way they please.”

Another aspect that makes the DOK malware hard of analyzing is that the malicious code deletes itself once it modifies proxy settings on the target machines.


[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – DOK malware, hacking)

[adrotate banner=”13″]

you might also like

leave a comment