Since being discovered, OSX/Dok malware has been growing fast. The latest version of the malware enabled attackers to obtain victim’s financial credentials by imitating banking websites.

What’s worse is that fake websites also urge victims to download a malicious app on their mobile phones. Once the application is there, the attacker could then use it to steal sensitive data or infect the victim’s mobile device.

How is it distributed?

The malware easily spreads through phishing emails. The latter typically relate to tax or finances, and come with an attached zip file containing the malicious application.

According to experts at Check Point, “this phishing campaign is combined with a man-in-the-middle (MiTM) attack, allowing complete access to all victim communication, even if it’s SSL encrypted.”

As it turns out, the code of the malware has mutating capabilities, which makes it highly complex. Dok is quite problematic to detect or remove. It is able to configure the OS settings, which allows the malware to knock off security updates. This, in turn, cuts off any communication between Apple services.

The malware comes signed with Apple certificates

GateKeeper is a special security feature that specifically focuses on preventing installs of unsigned apps in the macOS.

To sign the app bundle, the perpetrators purchase Apple certificates, paying $99 per each. Signed by an official Apple developer certificate, the malware may trick the security feature into thinking the malicious application is credible.

Location-based attacks

As soon as the installation process is complete, Dok downloads TOR which is essential for staying in touch with a command and control server via the dark web. This way, the attackers can identify the geo-location of their target. The perpetrators then tailor the attack, depending on a specific location. Considering all the evidence, specialists at Check Point state that “the malware targets mainly European residents.”

The perpetrators use proxy files based on users’ locations, and reroute them to fake websites that are hosted on their C&C server. This allows the attackers to get victims’ credentials and perform bank transactions.

Upon providing login information, the victim is urged to enter their phone number in order to proceed to SMS verification. Once the attackers get ahold of the number, they suggest the user to install a mobile malware to pull additional fraudulent activities.

Who stands behind the malware?

Today, both the attackers’ identities and locations still remain unknown. Specialists are actively trying to figure out who owns the malware. However, researchers also point out that the threat is more likely to stick around for quite some time, considering all the obfuscation techniques and investments the perpetrators are ready to make.