New MacOS Phishing Scheme Found

August 6, 2019
New MacOS Phishing Scheme Found

The 2017 version of OSX.Dok used a fake Preview icon to disguise an application bundle. The malware apparently targeted mostly European Mac users and was spread via an email phishing campaign that attempted to convince the user there was some problem with their tax returns.

 

A similar trick is used in the new version, only “Dokument” is now a fake Adobe PDF icon, with the instruction “Click twice on the icon to view the document” in German, presented when the user mounts the DMG.

 

Although we haven’t seen examples of how it is propagated, given the DMG is entitled DHL_Dokument (DHL is a German postal service and international courier company) and contains German text, we’d hazard a guess that it may well be targeting the same groups and using a similar email trick as before.

 

Double-clicking the Dokument.app launches a variety of tasks and installs a number of applications in the background. From the user’s perspective, the first thing that happens is the entire Desktop is overtaken by a fake “App Store” update splash screen. There’s no way for the user to cancel out or force quit from this view as the application disables the keyboard.

 

During this time, the keyboard is partially re-enabled to allow the victim to type in authorisation credentials in a pop-up dialog. There’s little point in hitting ‘Cancel’ as the dialog will just reappear repeatedly.

 

The only recourse victims really have at this point is a hard shutdown, followed by starting up in Safe mode to clear our not only the malware but also the persistence agents that have already been installed.

 

If the victim yields and supplies the password, OSX.Dok proceeds to install a hidden version of tor, and several utilities to enable stealth communication: socat, filan, and procan. The socat utility allows the malware to listen in on ports 5555 and 5588 until a connection comes in. The connection itself is traffic from the localhost, which is redirected to port 5555 by an autoproxy installed by the malware.

 

OSX.Dok is back. With the ability to completely intercept its victims’ internet traffic, it represents a high risk to macOS users. While the aggressive nature of the install would suggest most users would likely realize something is wrong, given the poor take-up of 3rd party security solutions by Mac users and the weakness of Apple’s built-in protections like XProtect and Gatekeeper, the hackers are still clearly gaining wins.

 

About the author

Leave a Reply