The “Dok” malware has been detected by Trend Micro as “OSX_DOK. C” presents advanced features such as certificate abuse and security software evasion that affects machines using Apple’s OSX operating system.
Dok is a piece of malware that has been typically delivered via email, is created to spy on victims by installing a new root certificate and changing the infected device’s network settings in order to redirect traffic through Tor.
According to Trend Micro:
“OSX_DOK.C first arrives via a phishing email that contains certain files labeled as either .zip or .docx files. The sample we analyzed was a purported message from a police inspector in Zurich allegedly claiming to unsuccessfully contact the recipient. The email also comes with two files attached claiming to contain questions for the user: one is a .zip file, which is a fake OSX app, while the other is a .docx file used to target Windows operating systems using WERDLOD.”
This malware, which is created specifically to target Swiss banking users, uses a phishing attack to release its payload, which finally results in the hijacking of a user’s network traffic using a Man-in-the-Middle (MitM) attack.
“The first (port 5555) proxy first finds the IP parameter. If it is not in Switzerland, the traffic will proceed as normal. If it detects an IP located in Switzerland, the malware will run an obfuscated JavaScript code and find its visiting domain. If the domain is in the target, the malware will perform a MitM attack and redirect the traffic to the second proxy (port 5588), which routes the traffic to the Tor network. The purpose of these steps is to target users in Switzerland and hijack their traffic”