Dok Wants MacOS User’s Money, New-Old Malware is Back

Sometimes when malware is beat, it comes back even stronger. That’s the case with Dok, the new-old malware that is attacking MacOS users once again, this time it wants the money of users with a more sophisticated attack. Check Point security researchers have found out that Dok is back.

Dok malware started as a web traffic malware that followed after MacOS users but now the malware will trick the user into giving up their online banking credentials. The attackers found a way to bypass Apple’s gatekeeper by purchasing and using valid Apple certificates. As Apple rushes to revoke these certificates, the attackers simply purchase and use more with increasing frequency.

The malware itself is a typical phishing scam, but this time it is focused on MacOS only. The attack even bypasses SSL encryption by utilizing a man in the middle attack. The malware will let you think that you on safe page but the address will be fake of course.

 

How do you will know if the address is fake ? easy.

  • Wrong years of copyright – the C&C server is probably using an old snapshot of the “Credit-Suisse” bank site from 2013 (appears in the left bottom side of the page).

  • Missing the original Credit-Suisse SSL certificate – there was no alert on that because the malware installed a fake certificate in the root chain; however it is possible to note that the fake certificate is general.

  • Missing auth token in the URL – token based authentication ensures each request to a server is accompanied by a signed token which the server verifies and only then responds. In this case, there’s no token as the communication is with the C&C server and not with the real one.

Read the full Check point research.

 

 

Roy Shpitalnik

lived the life of a BlackBerry since 2009 so I was first exposed to 8900. With Israeli cellular world history, training and knowledge for more on BlackBerry, I decided to join the community. When the Media bash BlackBerry on regular basis i decided to Join BerryIL.COM. The true must be published. Contact me on Twitter : @SimpleBerryRoy

Top