Apple has today revoked the developer certificate used to sign the installer Dokument.app, so that should be blocked by Gatekeeper.
It appears unlikely that the recent update to Apple’s MRT provides any protection from OSX/Dok.
It is tempting to speculate that it might be part of a targetted phishing campaign, as we have seen recently against OS X / macOS users.Īnti-virus protection is now starting to detect it, but removal is likely to be a tougher proposition: Malwarebytes’ Anti-Malware should now detect it reliably, and other products should follow. This is a complex and sophisticated attack, not the work of an amateur. This includes the installation of two further LaunchAgents, which are put in a spurious path /Users/_%User%_/Library/LaunchAgents. It installs further components (including the Brew package manager, Tor, and Socat) and performs extensive surgery to network settings to divert all internet communications via its proxy server. It then creates a bogus information dialog claiming that OS X updates are available, and offers one option, to update all this dialog blocks all other windows and apps. The app then presents an alert stating that the original enclosure couldn’t be opened, following which it adds itself as a Login Item which persists and runs automatically unless removed. There should, of course, be no such app there. Once fully installed, it appears as an app named AppStore.app located in /Users/Shared. When opened, that installs itself into the /Users/Shared folder, and runs a shell script to complete its installation.
Attached to that is a Zip archive contained the malware’s installer posing as a document. This has so far been targetted at mainly European users, and Check Point provides an example which was received in Germany, its message written in German. As it gains access to all communications including those encrypted by SSL, and is signed with a valid developer certificate, it presents a serious threat to Mac users.Ĭurrently this is being spread by a phishing attack, typically an email message concerning an issue such as tax returns. Ofer Caspi, of the Check Point malware research team, has published details of new malware targeting macOS and OS X systems, which has been named OSX/Dok it has also been named elsewhere.