![\"Dok](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/05\/Dok-Mac-Malware.png\")
<\/p>\n<\/p>\n
Security researchers last Friday discovered a new piece of Mac malware, named OSX\/Dok, that affects all versions of OS X, including the latest macOS Sierra. Once installed, OSX\/Dok\u00a0is able to intercept all of your web traffic, even that which is transmitted over HTTPS.<\/p>\n
Hidden alongside Dok, Intego’s malware research team found another variant of the\u00a0malware, called “Bella,” which is very similar on the surface but installs a Remote Access Trojan (RAT) on infected Macs. Intego VirusBarrier<\/a>\u00a0with up-to-date malware definitions will detect and eradicate\u00a0each component as OSX\/Dok.A<\/strong> and OSX\/Dok.B<\/strong> respectively.<\/p>\n OSX\/Dok\u00a0is spread through phishing campaigns and was\u00a0seen posing as an email with questions about tax returns, written in German. According to Check Point<\/a> researchers, OSX\/Dok mostly targets European Mac users, which we will note\u00a0appears\u00a0accurate as these phishing emails have not been reported in other languages.<\/p>\n Image credit: Check Point. Sample of the phishing email spreading the malware.<\/p><\/div>\n The phishing email contains a Dokument.zip file that, when opened, shows a file named “Dokument,” which\u00a0uses an old Preview application icon that has not been used since OS X 10.9 Mavericks (and a poor quality one at that).<\/p>\n Compared to the actual Preview app icon used up until OS X 10.9 Mavericks, you can see in the above image that the quality is very poor. To savvy Mac users, this is an instant giveaway that something is amiss. On Macs running OS X 10.10 Yosemite or newer, the icon for Preview has actually changed, so it becomes even easier to spot the fake.<\/p>\n When the Dokument file is opened, a fake warning is displayed while the malware application AppStore.app is placed in the \/Users\/Shared\/ folder.<\/p>\n Now in its new location, OSX\/Dok\u00a0will execute itself and give all users on the system permission to run the malware, delete the original application copy, and then place itself in the Login Items to ensure it gets a chance to install its payload.<\/p>\n OSX\/Dok then displays a full screen message, stating that a security issue has been identified and updates are required. This window can not be moved or closed.<\/p>\n This fake security alert is a ploy to get your administrator password. It asks for your password when the “Update All” button is clicked. The window will stay up for about 5 minutes while in the background several changes to the system are made. These changes include the installation of brew, which in turn facilitates the installation of TOR and SOCAT. If\u00a0OSX\/Dok obtains\u00a0administrator privileges, thanks to the provided password, it grants admin privileges wherever needed without the user ever seeing a password prompt again. This is done by modifying the sudoers file.<\/p>\n When Dok is done, the full screen window will close and the Login Item is removed. The login item is replaced, however, with several LaunchAgents in \/Users\/*User*\/Library\/LaunchAgents<\/em>.<\/p>\n com.apple.Safari.pac.plist The first two files are obviously meant to look like they belong to Apple’s Safari browser; they don’t, however. The third file might be trying to masquerade as something related to Homebrew<\/a>, a popular macOS package manager.<\/p>\n Other system changes that are\u00a0made include a change to the Network settings to set up a proxy, and the installation of a root certificate in the System.keychain, which allows the attacker to intercept all web traffic sent through that proxy. Victims will not know that their information is being intercepted, noted<\/a> Check Point:<\/p>\n By abusing the victim\u2019s new-found trust in this bogus certificate, the attacker can impersonate any website, and the victim will be none the wiser.<\/p><\/blockquote>\n The proxy setup can be viewed by opening System Preferences<\/strong> > Network<\/strong> > Select your active network connection<\/strong> > Advanced<\/strong> > Proxies<\/strong>.<\/p>\n Open up Applications<\/strong> > Utilities<\/strong> > Keychain Access<\/strong>, and select the System<\/strong> keychain. There you can see the root certificate Dok installed.<\/p>\n As a result of all of the above actions, when attempting to surf the web, the user\u2019s web browser will first ask the attacker web page on TOR for proxy settings. The user traffic is then redirected through a proxy controlled by the attacker, who carries out a Man-In-the-Middle attack and impersonates the various sites the user attempts to surf. The attacker is free to read the victim\u2019s traffic and tamper with it in any way they please.<\/p><\/blockquote>\n Alongside the discovery of Dok, Intego’s malware research team found another piece of malware, called “Bella,” identified by Intego VirusBarrier<\/a> as OSX\/Dok.B. While related to OSX\/Dok.A, its behavior appears to\u00a0be very different\u00a0from the other version.<\/p>\n The malware comes as a .zip file, named Dokument.zip, and contains an application named Dokument. Just like the above mentioned malware, it installs an AppStore application in \/Users\/Shared\/. The application is signed with the same certificate as well. That is where the similarities end.<\/p>\n OSX\/Dok.B\u00a0does not display a full screen window that claims software\u00a0updates need to be installed. Instead, it installs a backdoor named Bella, which is open-source and available on GitHub. Bella uses a Command & Control (C&C) server located in Russia and is capable of exfiltrating iOS backups, keychains, iMessage chat history and screenshots it makes. It’s also able to phish for passwords, capture data from your camera and microphone, and more. In short, Bella is a full fledged Remote Access Trojan (RAT) that doesn’t leave any visible traces on the infected system.<\/p>\n Whereas OSX\/Dok.A modified the system’s network settings and left visible files in the user \/Library\/LaunchAgents folder, OSX\/Dok.B makes no visible changes to any system settings and the files that are placed in the library are invisible.<\/p>\n The following files are placed in the User library:<\/p>\n ~\/Library\/Containers\/.bella\/Bella If Bella was able to gain root access, these items will be found in the root library instead.<\/p>\n At the time of writing, Apple has already revoked the developer certificate that was used to sign the malicious applications, which should avoid further infections. This kind of malware can be very dangerous as it can intercept traffic that is supposed to be secure and compromise a host of user data. Just think of what can happen if your online banking login credentials are intercepted.<\/p>\n To manually check for the invisible files OSX\/Dok.B placed, you first need to make invisible files visible in the Finder. In macOS Sierra this can quickly be done with the following key combination:<\/p>\n Command-Shift-. (period)<\/p><\/blockquote>\n For older OS X versions this can be done by typing the following commands in the Terminal app:<\/p>\n $ defaults write com.apple.Finder AppleShowAllFiles true When done, enter the same commands but change “true” to “false”. For Intego\u00a0VirusBarrier<\/a> customers, protection comes in the form of updated virus definitions, which will detect and remove all of the OSX\/Dok files. However, in order for VirusBarrier to grab these updated definitions, the proxy that was set by OSX\/Dok must be disabled first if you found yourself infected before these definitions were made available. As long as the proxy is on, VirusBarrier will not be able to contact the update servers. Intego VirusBarrier<\/a> detects all OSX\/Dok components as OSX\/Dok.A and OSX\/Dok.B<\/strong>.What is the infection vector?<\/h3>\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/04\/urgent-1.png\")
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/04\/Dok-icon-comparison.png\"){kind=icon}
<\/p>\nWhere does\u00a0OSX\/Dok.A install?<\/h3>\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/04\/Dok-fake-warning.png\")
<\/p>\n![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/04\/Dok-Login-Item.png\")
<\/p>\n![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/04\/Dok-Fake-Updates.png\")
<\/p>\n
\ncom.apple.Safari.proxy.plist
\nhomebrew.mxcl.tor.plist<\/p><\/blockquote>\n![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/04\/Dok-Proxy-Changes.png\")
<\/strong><\/p>\n![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/04\/Dok-Root-Cert-1.png\")
<\/p>\n![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/04\/Dok-Root-Cert-2.png\")
<\/p>\nAn additional surprise: OSX\/Dok.B<\/h3>\n
\n~\/Library\/Containers\/.bella\/bella.db
\n~\/Library\/LaunchAgents\/com.apple.iTunes.plist<\/p><\/blockquote>\nShould Mac users be concerned about OSX\/Dok?<\/h3>\n
How to tell if your Mac is infected (and removal instructions)<\/h3>\n
\n
\n
\nIf these files are present, delete them.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
\n$ killall Finder<\/p><\/blockquote>\n
\nWith the hidden files now visible, check both the root library and the user library for these files:<\/p>\n\n
\n<\/strong><\/p>\nHow to protect yourself from OSX\/Dok<\/h3>\n