There’s a new, particularly nasty, piece of malware doing the rounds just now. It’s called Trojan.OSX.Dok and it wants to see what you’re doing online.
First reported by CheckPoint, the new malware is delivered via email and would appear to have initially been targeted at European users, although we’ve also received reports of sightings from outside Europe.
The malware arrives inside a zip file and is signed with a valid developer ID signature so is permitted to run even when Apple’s Gatekeeper is enabled.
It then proceeds to set up your computer to route all your web traffic through a server in the dark web, allowing the criminals to read all the web pages you visit and potentially even inject content into those pages.
What’s particularly worrying about this new malware is that it’s also capable of reading all your protected (https) web traffic, so this means it can also read any username and passwords that you submit anywhere and even see/modify the content of web pages on sensitive sites like internet banking.
So, how does it do this?
When it first runs, Dok downloads a litany of other software (some legitimate like Apple’s developer tools, some less-so like tor). These additional downloads are huge, so it can take a long time while the software looks like it’s hung and apparently doing nothing.
Eventually, after pummelling your hard disk with thousands of files, Dok installs a couple of LaunchAgents (disguised to look like they’re from Apple) which set up a tunnel into the proxy server on the dark web. Using a LaunchAgent ensures it runs every time you startup your Mac. It then reconfigures your network settings to direct all network traffic through that tunnel, allowing the rogue server to see and manipulate it.
This type of attack is known as a MITM (or Man in the Middle) as the rogue server sits between you and the site you’re trying to access.
Doesn’t HTTPS and the padlock/green browser bar prevent this?
Well, yes and no. Under normal circumstances, https would prevent a MITM attack from taking place as the MITM would be detected, and your browser would then block access to the secure server.
However, in this instance, Dok goes even further and installs a rogue root certificate into the system keychain which allows the MITM to evade detection.
OK, so what can I do about it?
ClamXAV has already been updated to detect, prevent, and remove this malware on sight. Depending on your settings, you may need to update your virus definitions manually, so launch ClamXAV and click the “Update Definitions” button on the toolbar. If you’ve been infected, ClamXAV will immediately display this as a System Infection. Select it and hit the Delete button on the toolbar.
The additional non-malicious files which get installed (Apple’s developer tools etc) will not be removed as there will be many users who have legitimate reasons for needing those on their computer.
You should also manually remove the rogue root certificate from the keychain by opening Keychain Access in your Utilities folder. Within Keychain Access, search for the word COMODO using the search box at the top right. There will be several items returned, however, you only want to remove the one named “COMODO RSA Extended Validation Secure Server CA 2”. You should not remove any others as this may cause unexpected side effects.
Further action
If you have been infected with this malware, and you believe you may have visited important/sensitive sites such as online banking, then you should change your passwords for those services.
Update (2 May 2017)
A variant has been spotted which delivers a different payload, opening up a back door into your Mac, allowing the criminals to steal a whole host of information from your computer. ClamXAV will also detect and remove this malware. Despite being related to Dok, ClamXAV will actually detect it as Trojan.OSX.Bella.