Mac Malware Ducks Apple's Defenses, Reads Your Email

  • MORE

OSX/Dok is the latest sophisticated piece of spyware to target MacBooks and other macOS machines, and it hit systems quite quickly by exploiting a security flaw in the desktop operating system. That flaw? The fact that a legitimate Apple developer's certificate, which you can get for $99 straight from Apple, will bypass Gatekeeper, the operating system's first line of defense.

macbook pro 15 touch nw g01Image: Jeremy Lips/Laptop

OSX/Dok's distributors used the age-old tactic of targeting victims with a email attachment, which in this case contained malware that was signed with a legitimate Apple Developer Certificate. With that certificate, OSX/Dok could casually walk past macOS's Gatekeeper security like it owned the place, trick the user into giving it admin rights, then proceed to spy on the user's encrypted communications, including Gmail and online financial transactions.

MORE: Best Antivirus Protection for PC, Mac and Android

The malware, according to a blog post late last week by the Israeli security firm Check Point, comes bundled into an email attachment dubbed "Dokument.zip" attached to German-language emails claiming to be from Swiss government agencies inquiring about tax-return inconsistencies.

Once a user opens said ZIP file, the malware copies itself to the Users/Shared directory, then deletes the original copy in the Downloads directory. It then alerts the user with a fake error message claiming that the system can't open the Dokument file, and nags the user to enter his or her administrative credentials to install a system update. It won't let the user close the nag window until he or she relents.

Of course, providing OSX/Dok with admin credentials simply supercharges its abilities and allows the malware to execute high-level processes in the background, essentially owning your system.

Once it does so, OSX/Dok installs a Tor client and re-routes your web traffic through a proxy server, It even uses a (presumably stolen) web-security certificate to decrypt secure communications, then re-encrypt them on route so that the HTTPS padlock icon stays in place and the user is none the wiser. By performing that man-in-the-middle attack, OSX/Dok might be able to read your Gmail and Facebook postings, or even steal information about online purchases or online bank accounts.

MacWorld's Glenn Fleishman reported today (May 1) that Apple has revoked the developer certificate used by OSX/Dok. Gatekeeper should now block the malware if you leave it on its default settings, but it wouldn't take much of an update to OSX/Dok to try to trick the user into temporarily disabling Gatekeeper.

So, what can you do?

  • First off, just because you have a Mac doesn't mean you don't need antivirus software. Here are our favorite picks for macOS machines.
  • As always, we advise users to never open up email attachments they are not 100 percent certain about.
  • And for complete security, install the free XFENCE tool that stops rogue apps from taking over your system.

Author Bio
Henry T. Casey
Henry T. Casey,
After graduating from Bard College a B.A. in Literature, Henry T. Casey worked in publishing and product development at Rizzoli and The Metropolitan Museum of Art, respectively. Henry joined Tom's Guide and LAPTOP having written for The Content Strategist, Tech Radar and Patek Philippe International Magazine. He divides his free time between going to live concerts, listening to too many podcasts, and mastering his cold brew coffee process. Content rules everything around him.
Henry T. Casey, on
Add a comment
2 comments
  • Jeff Garner Says:

    You do not need resource resource sucking anti-virus software. You also failed to mention NEVER EVER enter admin credentials unless you are performing an install or update from a known developer or Apple and NEVER from a web site or email enclosure. You also give no evidence any anti-virus software would have stopped this before Apple did. More FUD! BTW users! Neither Apple, nor a legitimate software vendor, will force you to enter admin privileges. If that happens simply press your power button down until your machine restarts...something else the author could have pointed out.

  • doug p. Says:

    Shouldn't this article read, Malware briefly eluded MacOS defenses but was quickly stopped dead in it's tracks?

Back to top