Extremely dangerous malware is distributed through a coordinated email phishing campaign, stealing users' traffic - including SSL encrypted communications.
Dok malware was discovered by Check Point security researchers, who report that malicious software affects all versions of Mac OS X and it is digitally undetectable on VirusTotal. What makes things worse is that malware has digital signature from Apple, having received a valid Developer Certificate.
When the infection of a system with Dok is completed, the attackers manage to gain full access to all communications of the victims, including those encrypted via SSL.
Security researchers have discovered that malware is primarily targeted at European users and the phishing technique used is quite complex. One of the detected email samples informs the prospective victim of an alleged inconsistency in his tax return.
Malicious software is contained in a file named Document.zip. Once executed, the malware automatically copies itself to / Users / Shared / Folder and starts running. Then a popup window appears indicating how the file is corrupted and can not be executed.
In fact, if there is a loginItem called "AppStore", the malware deletes it and adds the same instead. This way the malware stays on the system and runs automatically every time the system restarts, until it completes its payload installation.
A new window then appears informing victims that a security issue has been detected in their operating system for which a new update is available.
Users can not access any windows or use the computer until they enter the password they are asked to complete their alleged system update process, and then the malware completes its installation.
Once this happens, a new root certificate is installed on the infected device, which allows cybercriminals to track victims' traffic through the Man in The Middle (MiTM) attack technique.
"Malware changes the victim network settings so that all outgoing connections pass through a proxy server, which is dynamically obtained from a Proxy AutoConfiguration (PAC) file located on a malicious server," the researchers note.