New macOS malware OSX/Dok requires a lot of manual steps

Updated with new information about XProtect from Apple.

Check Point, a security analysis firm, posted an alarming blog entry on Thursday about a new malicious macOS Trojan horse that appeared able to bypass Apple’s protections and could hijack and sniff all the traffic entering and leaving a Mac without a user’s knowledge. This would include SSL/TLS encrypted connections, because the malware installs a local digital certificate that overrides normal man-in-the-middle warnings and protections.

The malware, called OSX/Dok by Check Point, spreads via a phishing attack that Check Point says mostly targets European users. One message shown is in German and the signature portion says it’s from the Swiss tax office. The email contains a ZIP file attachment which has to be saved, opened, and an item within it launched. It’s unclear from the description whether a user has to enter an administrative password, although based on the steps, this would seem likely. On execution, the malware performs various nefarious deeds, such as copying itself and running shell commands, as well as installing a startup item so it will launch at each reboot.

Check Point says the malware is signed with a valid Apple developer’s certificate, something that’s happened before. Malicious parties may hijack legitimate developers’ accounts, or register and use (and burn) that certificate. With a certificate that checks out, macOS Gatekeeper recognizes the app as legitimate, and doesn’t prevent its execution.

Apple confirmed that Gatekeeper wasn’t bypassed. That developer certificate has been revoked, which will prevent it launching in the future without a warning. Apple has confirmed that it updated  XProtect, its silent malware signature system, to ward it off as well. There’s no indication about how many users might have been infected, as Check Point’s research team encountered it in the wild.

As with nearly all macOS malware, OSX/Dok requires a naive user who accepts at face value phishing email and willingly extracts and launches a file they were not expecting and which they’re unfamiliar with. The main exception to this was the subversion of two releases of the torrenting software Transmission, which had legitimate copies replaced by hacked ones. Those were also Trojan horses, but from software people intentionally downloaded and installed.

With BlockBlock and XFence (formerly Little Flocker) installed, even if you had been trusting enough to carry out the steps to launch the malware, it would have been unable to write files or mark itself as launching on startup. (Both packages are free and in beta.)

Mac users need to maintain vigilance against launching any file that wasn’t expected or is from an unknown party or one that claims to be tax, law-enforcement, or another authority. Even if the file appears to be from a known source, if it’s not something expected and in a format typically sent by that person or group, it might be a spearphishing attempt, in which faked return addresses are used to lull people into installing a Trojan horse.