Sometimes when malware is beat, it comes back even stronger. That’s the case with Dok, the new-old malware that is attacking MacOS users once again, this time it wants the money of users with a more sophisticated attack. Check Point security researchers have found out that Dok is back.
Dok malware started as a web traffic malware that followed after MacOS users but now the malware will trick the user into giving up their online banking credentials. The attackers found a way to bypass Apple’s gatekeeper by purchasing and using valid Apple certificates. As Apple rushes to revoke these certificates, the attackers simply purchase and use more with increasing frequency.
The malware itself is a typical phishing scam, but this time it is focused on MacOS only. The attack even bypasses SSL encryption by utilizing a man in the middle attack. The malware will let you think that you on safe page but the address will be fake of course.
How do you will know if the address is fake ? easy.
Wrong years of copyright – the C&C server is probably using an old snapshot of the “Credit-Suisse” bank site from 2013 (appears in the left bottom side of the page).
Missing the original Credit-Suisse SSL certificate – there was no alert on that because the malware installed a fake certificate in the root chain; however it is possible to note that the fake certificate is general.
Missing auth token in the URL – token based authentication ensures each request to a server is accompanied by a signed token which the server verifies and only then responds. In this case, there’s no token as the communication is with the C&C server and not with the real one.