PDA

View Full Version : New 'DOK' Malware targeting MacOS



Raz0rEdge
04-28-2017, 11:31 AM
A new twist on the malware landscape that uses legitimate certificates to thwart the built-in protections of macOS. Once installed, the malware will monitor all network traffic and could steal any data it seems useful..

The whole thing, of course, starts with a phishing email relating to taxes (since all of us in the US just filed ours) that fools you into downloading a zip file..

This cannot be stressed enough. Government agencies (regardless of country) don't send you email with random ZIP files about whatever they are responsible for. So the IRS will not email you about taxes. If they want to contact you, they will use a very official letter sent through USPS and nothing else. So, do not click on any of these emails..

Read more: http://www.mactrast.com/2017/04/new-mac-malware-uses-apple-developer-certificate-infect-machines/

ferrarr
04-28-2017, 12:13 PM
Thanks for the heads up Ashwin.

chscag
04-28-2017, 03:38 PM
I read that this morning in my daily "Macworld Review email letter". This one is a real nasty especially if it gets your permission as Ashwin pointed out. It's bad enough I had to pay the IRS this year, so I can't imagine getting "Phished" by malware pretending to be them. Double whammy!

Be careful out there! ;D

MacInWin
05-03-2017, 12:43 PM
It's blocked already. You can test for it. In Terminal, enter this

cat /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.plist |grep -A1 "OSX.Dok.B"

I got that from an article on how to check your XProtect version:

http://osxdaily.com/2017/05/01/check-xprotect-version-mac/

Raz0rEdge
05-03-2017, 12:51 PM
<Mr. Burns>Excelleeeeent!</Mr. Burns>

docx
05-03-2017, 12:58 PM
Nice. Thank you

ProTruckDriver
05-03-2017, 01:43 PM
Thank you for the information :)

chscag
05-03-2017, 03:34 PM
It's blocked already. You can test for it. In Terminal, enter this

Thanks Jake. Good stuff. :)

RadDave
05-03-2017, 11:38 PM
It's blocked already. You can test for it. In Terminal, enter this

cat /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.plist |grep -A1 "OSX.Dok.B"

I got that from an article on how to check your XProtect version:

http://osxdaily.com/2017/05/01/check-xprotect-version-mac/

Thanks Jake - so I ran the above in Terminal and received the return shown below, so assume I'm fine? Dave :)
.
26395

MacInWin
05-04-2017, 01:00 AM
Dave, the fact that the grep returned the string says that you are fine. If it had NOT returned the string name, then your Xprotect would have needed updating.

Randy B. Singer
05-04-2017, 07:30 AM
A new twist on the malware landscape that uses legitimate certificates to thwart the built-in protections of macOS. Once installed, the malware will monitor all network traffic and could steal any data it seems useful..

Apple patched the MacOS against this malware before any of us had even heard of it.

OSX.DOC is a Trojan, not a virus. It arrives attached to an e-mail message. It can be completely avoided by not opening any e-mail attachments called “Dokument.zip”. (Or simply not opening any attachments to any e-mails that you aren't expecting or which don't come from someone you know.)

More importantly:
“Apple has already revoked the certificate used to sign the app, so, at this point, anyone who encounters this malware will be unable to open the app and unable to be infected by it.”
https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/

RadDave
05-04-2017, 02:42 PM
Dave, the fact that the grep returned the string says that you are fine. If it had NOT returned the string name, then your Xprotect would have needed updating.


Apple patched the MacOS against this malware before any of us had even heard of it.

OSX.DOC is a Trojan, not a virus. It arrives attached to an e-mail message. It can be completely avoided by not opening any e-mail attachments called “Dokument.zip”. (Or simply not opening any attachments to any e-mails that you aren't expecting or which don't come from someone you know.)

More importantly:
“Apple has already revoked the certificate used to sign the app, so, at this point, anyone who encounters this malware will be unable to open the app and unable to be infected by it.”
https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/

Thanks Jake - that was my assumption, especially after Randy's further clarification above. Dave :)

Rod Sprague
05-06-2017, 01:31 AM
Thanks everybody, nice to stay abreast of these things.

Alwyn
05-15-2017, 10:34 AM
Yes we have had similar e-mails in UK purporting to come from our equivalent HMRC although none of them has included any attachments. Instead they suggest that the recipient is entitled to a refund etc.

Rod Sprague
05-16-2017, 03:09 AM
Are you? 😁