Get Free Information Around Information Security &
The Latest News in Cybersecurity Right to Your Inbox

Mac Malware OSX.Dok is Back, Actively Infecting Victims

By Philip Stokes -

First discovered in 2017, OSX.Dok is a little more sophisticated than most malware that targets macOS, and we’re not surprised to see it back in 2019. In this post, we take a look at how it works and explain how we discovered that new infections are occurring even as we write.

The story began on Christmas Day, when a new variant of OSX.Dok was signed with a valid Developer ID at 12:48pm on 25th December, 2018. We first spotted it on the 9th January and informed Apple through unofficial channels. Shortly after, the developer’s signature was revoked by the Cupertino company. Nevertheless, as we’ll see in this post, that has not stopped the attackers from continuing to compromise Mac users.

What’s up, Dok?

OSX.Dok is packaged inside a DMG called either DHL_Dokument.dmg or Strichkode DHL Express.dmg and uses the bundle identifier Swisscom.Application.

A screenshot of newly OSX.Dok

The 2017 version of OSX.Dok used a fake Preview icon to disguise an application bundle. The malware apparently targeted mostly European Mac users and was spread via an email phishing campaign that attempted to convince the user there was some problem with their tax returns.

A similar trick is used in the new version, only “Dokument” is now a fake Adobe PDF icon, with the instruction “Click twice on the icon to view the document” in German, presented when the user mounts the DMG. Although we haven’t seen examples of how it is propagated, given the DMG is entitled DHL_Dokument (DHL is a German postal service and international courier company) and contains German text, we’d hazard a guess that it may well be targeting the same groups and using a similar email trick as before.

A screenshot of fake dok app

Barely visible at the bottom of the view is the file name that reveals it’s true nature: ‘Dokument.app’. This is more obvious if the DMG is opened in the Finder’s column or list view:

Screenshot of fake dok ap in column view

A Different Kind of App Store

Double-clicking the Dokument.app launches a variety of tasks and installs a number of applications in the background. From the user’s perspective, the first thing that happens is the entire Desktop is overtaken by a fake “App Store” update splash screen. There’s no way for the user to cancel out or force quit from this view as the application disables the keyboard. Though we don’t often see this technique on macOS, this is not some new technique the hackers have conjured up. Rather, the malware authors have just leveraged the same Apple APIs that games developers use to produce an immersive experience and force players into particular game situations.

Screenshot of fake App Store Updates

In this case, the “game” is to stop the user interfering while the malware installs a variety of other software. There’s so much being installed, in fact, that if you have a Mac with cooling fans you’re likely to hear the fans spin up as the CPU comes under heavy load and internal heat starts to build. The whole installation takes several minutes.

During this time, the keyboard is partially re-enabled to allow the victim to type in authorisation credentials in a pop-up dialog. There’s little point in hitting ‘Cancel’ as the dialog will just reappear repeatedly. The only recourse victims really have at this point is a hard shutdown, followed by starting up in Safe mode to clear our not only the malware but also the persistence agents that have already been installed.

If the victim yields and supplies the password, OSX.Dok proceeds to install a hidden version of tor, and several utilities to enable stealth communication: socat, filan, and procan. The socat utility allows the malware to listen in on ports 5555 and 5588 until a connection comes in. The connection itself is traffic from the localhost, which is redirected to port 5555 by an autoproxy installed by the malware.

A screenshot of setting an autoproxy

The malware writes multiple Apple domain names into the local hosts file so that connections to these get redirected to 127.0.0.1. Once the malware starts capturing the user’s traffic, it then connects to a server on the Dark Net, ltro3fxssy7xsqgz.onion and begins data transfer.

Screenshot of socat processes

With Persistence, and Privilege

Meanwhile, the malicious installer writes several persistence agents. Three are installed in the user’s Library LaunchAgents folder, and one in the local domain’s LaunchDaemons folder:

Screenshot of dok persistence

The LaunchDaemon program argument at /usr/local/bin/JKHFJqTP is a shell script that ensures the autoproxy is set on all interfaces.

As with the earlier versions of OSX.Dok, this one installs a trust certificate in the Keychain. It also writes to the sudoers file to ensure that privileges can be maintained without having to repeatedly ask for a password. The last entry shown below in /etc/sudoers means any user can run any sudo command without being prompted for authentication.

Screenshot of modifying the sudoers file

The European Connection

This version of OSX.Dok is very much a clone of the older version, with the following differences.

  • New developer ID: Anton Ilin (48R325WWDB)
  • New App BundleID: Swisscom.Application
  • New Icon: Adobe PDF (instead of Preview PDF)
  • New Dark Net address: ltro3fxssy7xsqgz.onion

The SentinelOne agent not only detects OSX.Dok and protects SentinelOne customers from this infection but also allowed us to discover that the OSX.Dok’s authors had hardcoded an ftp username and password into the malware.

Screenshot of SentinelOne threat hunting

The console’s “Visibility” feature revealed that the malware uses curl and the ftp protocol to upload a log file from the victim’s machine to the following address (redacted as we believe that the address owner may unknowingly be hosting these files and indeed be a victim of hacking themselves):

ftp://engel-*******:0*******[email protected]******a.com/logs/

Screenshot of malware uses ftp

With the login name and password, we were able to access the ftp server and note that logs were still being sent at the time of writing, with 43 logs collected since yesterday. Here’s a partial (and redacted) list of some of the victims log files:

Screenshot of partial list of victims

Summary

OSX.Dok is back. With the ability to completely intercept its victims’ internet traffic, it represents a high risk to macOS users. While the aggressive nature of the install would suggest most users would likely realize something is wrong, given the poor take-up of 3rd party security solutions by Mac users and the weakness of Apple’s built-in protections like XProtect and Gatekeeper, the perpertrators are still clearly gaining wins. As our analysis shows, at least 43 compromises have occurred since yesterday. We are in the process of passing on our findings to the appropriate authorities and will keep you posted of further developments.


Like this article? Follow us on LinkedInTwitter, YouTube or Facebook to see the content we post.

Read more about macOS Security

A Review of Malware affecting macOS in 2018

Mojave’s security “hardening” | User protections could be bypassed

Inside Safari Extensions | Malware’s Golden Key to User Data

The Weakest Link: When Admins Get Phished | MacOS “OSX.Dummy” Malware

What's New

eBook

90 Days: A CISO’s Journey to Impact - Volume II

We have partnered with some of the most successful CISOs to create a blueprint for success

Report

SentinelOne H1 2018 Enterprise Risk Index

Our research team closely monitors all SentinelOne endpoints for insights

Live Demo

Endpoint Protection Platform Free Demo

Interested in seeing us in action? Request a free demo and we will follow up soon