OSX.Dok, the malware that infected Apple computers is bustling again

• OSX.Dok, the Mac malware that was first discovered in 2017, has resurfaced again with a new version.
• It dons the form of a fake PDF app that takes over the entire screen when opened, blocking the user from from taking any action to prevent the malware from installing malicious applications in the background.

OSX.Dok a malware that rattled Mac users back in 2017, has once again come back to take on the Apple ecosystem. A blog highlighted the malware’s recent activity that happened a few days ago.

Unlike the previous version, OSX.Dok now has a new trick up its sleeves. This time it disguises as a fake Adobe PDF document requesting the user to view the file.

Modus Operandi

OSX.Dok is delivered in a DMG package called either 'DHL Dokument.dmg' or 'Strichkode DHL Express.dmg' and uses the bundle identifier 'Swisscom.Application'.

The earlier version of the malware spread through a phishing campaign targeting European users. It disguised as an Application bundle by using a fake Preview icon.

Now, the new variant of the malware disguises using a fake Adobe PDF icon, with the application bundle name as 'Dokument'. When mounted, it instructs the user in German language to double click on the icon.

The use of German language for the instruction and 'DHL Dokument.dmg' as the package name suggests that the attackers are once again targeting European users.

Fake AppStore and update screen

If the user double clicks on Dokument.app, a bunch of applications gets installed in the background and an update screen is displayed over the entire screen. Security Boulevard, which documented OSX.Dok activity briefed on how the malware takes over complete control after the update screen.

“There’s no way for the user to cancel out or force quit from this view as the application disables the keyboard. Though we don’t often see this technique on MacOS, this is not some new technique the hackers have conjured up. Rather, the malware authors have just leveraged the same Apple APIs that games developers use to produce an immersive experience and force players into particular game situations.”

‘Game situations’ mean stopping the user from closing the ongoing installations or other malicious activity of the malware. The only way to stop these installations from executing, in this case, is to perform a forced shutdown followed with a Safe Mode boot. This ensures that the malware along with its additional files is prevented from doing further damage.

According to Security Boulevard’s analysis, around 43 systems were compromised in one day. The team behind the analysis have informed Apple of this malware, and have advised users to keep caution regarding phishing emails.