OSX.Dok a malware that rattled Mac users back in 2017, has once again come back to take on the Apple ecosystem. A blog highlighted the malware’s recent activity that happened a few days ago.
Unlike the previous version, OSX.Dok now has a new trick up its sleeves. This time it disguises as a fake Adobe PDF document requesting the user to view the file.
Modus Operandi
OSX.Dok is delivered in a DMG package called either 'DHL Dokument.dmg' or 'Strichkode DHL Express.dmg' and uses the bundle identifier 'Swisscom.Application'.
The earlier version of the malware spread through a phishing campaign targeting European users. It disguised as an Application bundle by using a fake Preview icon.
Now, the new variant of the malware disguises using a fake Adobe PDF icon, with the application bundle name as 'Dokument'. When mounted, it instructs the user in German language to double click on the icon.
The use of German language for the instruction and 'DHL Dokument.dmg' as the package name suggests that the attackers are once again targeting European users.
Fake AppStore and update screen
If the user double clicks on Dokument.app, a bunch of applications gets installed in the background and an update screen is displayed over the entire screen. Security Boulevard, which documented OSX.Dok activity briefed on how the malware takes over complete control after the update screen.
“There’s no way for the user to cancel out or force quit from this view as the application disables the keyboard. Though we don’t often see this technique on MacOS, this is not some new technique the hackers have conjured up. Rather, the malware authors have just leveraged the same Apple APIs that games developers use to produce an immersive experience and force players into particular game situations.”
‘Game situations’ mean stopping the user from closing the ongoing installations or other malicious activity of the malware. The only way to stop these installations from executing, in this case, is to perform a forced shutdown followed with a Safe Mode boot. This ensures that the malware along with its additional files is prevented from doing further damage.
According to Security Boulevard’s analysis, around 43 systems were compromised in one day. The team behind the analysis have informed Apple of this malware, and have advised users to keep caution regarding phishing emails.
Publisher