This new Dok campaign is distributed via phishing emails relating to financial or tax matters, with the payload deployed via a malicious ZIP file that victims are urged to run. This latest attack specifically targets macOS users, with the malware partnered with a man in the middle attack that enables the perpetrators to spy on all victim communications, even if they're SSL encrypted.
Dok appears to be highly sophisticated malware, shown by mutations in its code that make it more difficult to detect and remove -- especially as Dok modifies the OS' settings in order to disable security updates and prevent some Apple services from communicating.
Once installed on a system, Dok downloads TOR for the purposes of communication with a command and control server over the dark web, which helps to geolocate the victim and customise the attack according to location -- with evidence suggesting the malware mainly targets users in Europe.
A proxy file is served to the victim depending on their location, with the aim of redirecting traffic to bank domains to a fake site hosted on the attacker's C&C server, which harvests login credentials and allows the attacker to carry out bank transactions.
For example, a proxy setting for a Swiss IP address contains instructions for redirecting the victims' attempts to visit banking websites local to the country, including Credit Suisse, Globalance Bank, and CBH Bank.
After entering their login details, the user is prompted to provide their mobile number for supposed SMS verification. Obviously, this isn't what the phone number is for; instead the attackers use it to prompt the victim into downloading a mobile application -- as well as Signal, a legitimate messaging app.
It's likely Signal is installed in order to allow the attacker to communicate with the victim at a later stage or to commit additional malicious or fraudulent activities, such as installing malware onto the mobile device. Whatever the intentions of using Signal are, researchers note that its use will "make it harder for law enforcement to trace the attacker".
While the identity and location of those behind Dok is unknown, researchers note that the Apple malware is a version of the Retefe banking Trojan, which has been ported from Windows. Retefe has also been known to predominately target European banks.
Whoever is behind OSX.Dok, Check Point warns the malware is still on the loose and will be a threat for some time to come, especially if the attackers continue to invest in advanced obfuscation techniques.