DOK malware, a stealthy MAC OS spyware that inspects your HTTPS Traffic

Once the malware infects a macOS system, it gains administrative privileges and install a new root certificate. The root certificate allows the malicious code to intercept all victim’s communications, including SSL encrypted traffic.

The phishing messages trick victims into opening an attached malicious .zip file, which contains the malicious code.

The use of a malicious code signed with a valid developer certificate allows it to bypass the Apple Gatekeeper defense mechanism.

Once installed, the DOK malware copies itself to the /Users/Shared/ folder and then gain persistence by adding to “loginItem.” in this way it will be executed automatically every time the system reboots.

At this point, the malicious code creates a window on top of all other windows, displaying a message claiming that a security problem has been detected in the operating system and an update is available, it requests victims to enter his password.

“The victim is barred from accessing any windows or using their machine in any way until they relent, enter the password and allow the malware to finish installing. Once they do, the malware gains administrator privileges on the victim’s machine.

Using those privileges, the malware will then install Tor, the latter is a low-level command-line utility that allows connection to the dark web.” continues the analysis.

“The malware will then give the current user admin privileges immediately on demand without prompting for a password. This is done so that the malware won’t provoke constant admin password prompts when abusing its admin privileges with the sudo command. This is done by adding the following line to /etc/sudoers:

%USER_NAME_HERE%  ALL=(ALL) NOPASSWD: ALL”

At this point, the malware installs a new root certificate in the infected Mac, which allows the attacker to intercept the victim’s traffic using a man-in-the-middle (MiTM) attack.

“As a result of all of the above actions, when attempting to surf the web, the user’s web browser will first ask the attacker web page on TOR for proxy settings,” the researchers say.

“The user traffic is then redirected through a proxy controlled by the attacker, who carries out a Man-In-the-Middle attack and impersonates the various sites the user attempts to surf. The attacker is free to read the victim’s traffic and tamper with it in any way they please.”

Another aspect that makes the DOK malware hard of analyzing is that the malicious code deletes itself once it modifies proxy settings on the target machines.