New 'DOK' Malware targeting MacOS

Raz0rEdge · Apr 28, 2017

A new twist on the malware landscape that uses legitimate certificates to thwart the built-in protections of macOS. Once installed, the malware will monitor all network traffic and could steal any data it seems useful..

The whole thing, of course, starts with a phishing email relating to taxes (since all of us in the US just filed ours) that fools you into downloading a zip file..

This cannot be stressed enough. Government agencies (regardless of country) don't send you email with random ZIP files about whatever they are responsible for. So the IRS will not email you about taxes. If they want to contact you, they will use a very official letter sent through USPS and nothing else. So, do not click on any of these emails..

Read more: http://www.mactrast.com/2017/04/new-mac-malware-uses-apple-developer-certificate-infect-machines/

ferrarr · Apr 28, 2017

Thanks for the heads up Ashwin.

chscag · Apr 28, 2017

I read that this morning in my daily "Macworld Review email letter". This one is a real nasty especially if it gets your permission as Ashwin pointed out. It's bad enough I had to pay the IRS this year, so I can't imagine getting "Phished" by malware pretending to be them. Double whammy!

Be careful out there! ;D

MacInWin · May 3, 2017

It's blocked already. You can test for it. In Terminal, enter this

cat /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.plist |grep -A1 "OSX.Dok.B"

I got that from an article on how to check your XProtect version:

http://osxdaily.com/2017/05/01/check-xprotect-version-mac/

Raz0rEdge · May 3, 2017

<Mr. Burns>Excelleeeeent!</Mr. Burns>

docx · May 3, 2017

Nice. Thank you

ProTruckDriver · May 3, 2017

Thank you for the information

chscag · May 3, 2017

It's blocked already. You can test for it. In Terminal, enter this

Thanks Jake. Good stuff.

RadDave · May 3, 2017

MacInWin said:
It's blocked already. You can test for it. In Terminal, enter this

cat /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.plist |grep -A1 "OSX.Dok.B"

I got that from an article on how to check your XProtect version:

http://osxdaily.com/2017/05/01/check-xprotect-version-mac/

Thanks Jake - so I ran the above in Terminal and received the return shown below, so assume I'm fine? Dave

.

Screen Shot 2017-05-03 at 8.03.21 PM.png

MacInWin · May 4, 2017

Dave, the fact that the grep returned the string says that you are fine. If it had NOT returned the string name, then your Xprotect would have needed updating.

Randy B. Singer · May 4, 2017

Raz0rEdge said:
A new twist on the malware landscape that uses legitimate certificates to thwart the built-in protections of macOS. Once installed, the malware will monitor all network traffic and could steal any data it seems useful..

Apple patched the MacOS against this malware before any of us had even heard of it.

OSX.DOC is a Trojan, not a virus. It arrives attached to an e-mail message. It can be completely avoided by not opening any e-mail attachments called “Dokument.zip”. (Or simply not opening any attachments to any e-mails that you aren't expecting or which don't come from someone you know.)

More importantly:
“Apple has already revoked the certificate used to sign the app, so, at this point, anyone who encounters this malware will be unable to open the app and unable to be infected by it.”
https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/

RadDave · May 4, 2017

MacInWin said:
Dave, the fact that the grep returned the string says that you are fine. If it had NOT returned the string name, then your Xprotect would have needed updating.

Randy B. Singer said:
Apple patched the MacOS against this malware before any of us had even heard of it.

OSX.DOC is a Trojan, not a virus. It arrives attached to an e-mail message. It can be completely avoided by not opening any e-mail attachments called “Dokument.zip”. (Or simply not opening any attachments to any e-mails that you aren't expecting or which don't come from someone you know.)

More importantly:
“Apple has already revoked the certificate used to sign the app, so, at this point, anyone who encounters this malware will be unable to open the app and unable to be infected by it.”
https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/

Thanks Jake - that was my assumption, especially after Randy's further clarification above. Dave

Rod · May 6, 2017

Thanks everybody, nice to stay abreast of these things.

Alwyn · May 15, 2017

Yes we have had similar e-mails in UK purporting to come from our equivalent HMRC although none of them has included any attachments. Instead they suggest that the recipient is entitled to a refund etc.

Rod · May 16, 2017

Are you? ?

New 'DOK' Malware targeting MacOS

Raz0rEdge

Well-known member

ferrarr

chscag

Well-known member

MacInWin

Guest

Raz0rEdge

Well-known member

docx

ProTruckDriver

chscag

Well-known member

RadDave

MacInWin

Guest

Randy B. Singer

RadDave

Rod

Alwyn

Rod

Shop Amazon