OSX/Dok Malware Targeting Mac Users

More devices and operating systems than ever before have the potential to succumb to malware. Writers of this malicious code have typically aimed to exploit Windows vulnerabilities, but Mac users are no longer safe from an attacker’s sights. OSX/Dok malware was encountered toward the end of April 2017, and was discovered to be a rather sophisticated piece of work.

Recently, malware tactics have become much more polished and severe, getting around security measures and tricking users into becoming victims of the malicious virus. Mac users cannot stand idle against OSX/Dok and should be educated on this threat. Here are a few of the biggest things you need to know about OSX/Dok malware:

1. It’s Sent Through Emails

As with most malware and phishing campaigns, OSX/Dok is delivered through email attachments to unsuspecting receivers. According to Check Point, the research team that first encountered the malware, OSX/Dok mostly targeted European users, but it could become a global issue.

The threat came as a file named “,” seemingly coming from a tax office. Once clicked, it would be decompressed to appear with the same icon as older versions of Apple’s Preview app, however, it would be oddly pixelated. These unusual characteristics should serve as red flags for any user when reading emails or looking at unfamiliar links.

Global email

2. OSX/Dok Takes Control of Your Systems

The OSX/Dok malware is particularly convincing because it puts up a fake update notification for users to interact with. According to DarkReading, if a user clicks “Update All” on the notification and provides his or her admin password, the virus will finish installing malicious files and delete itself to leave few obvious signs of its presence.

This authorization gives OSX/Dok all it needs to take control of the system and access all communications. Malicious LaunchAgents files downloaded by the malware quietly redirect user traffic through a proxy server, enabling an attacker to monitor it and pick through the details. PCMag noted that even communications sent over encrypted SSL are subject to exposure. This means that anything users write or send can be easily compromised, offering opportunities for identity and financial theft. The malware can also modify data being sent and received, directing users to malicious sites in place of legitimate ones.

3. The Malware is Virtually Undetectable

With the advancements of security solutions, it’s easy to wonder how OSX/Dok got through Apple’s safeguards. When the malware was first discovered, it had zero detection on VirusTotal, meaning any security software wouldn’t have picked it up. In addition, OSX/Dok is signed with a valid Apple developer’s certificate, enabling macOS Gatekeeper to recognize it as a legitimate app, according to MacWorld. Since that time, Apple revoked the certificate and updated its silent malware signature system to deter future instances.

Apple’s fixes are a step in the right direction, but they may not be enough. The attackers quickly adapted their strategy and were using a new Apple developer ID. Check Point noted that new variants might contain extra obfuscated layers to avoid security detection. While Apple shut down the new ID as well, it’s clear that this isn’t the last we’ve seen of OSX/Dok and that users must protect themselves from advancing strategies.

“Leftovers and modifications to your system won’t be so simple to fix.”

4. Removal is Not Easy

Getting rid of the malware is not going to be an easy task. While the two LaunchAgents files can be removed, leftovers and modifications to your system won’t be so simple to fix. According to Malwarebytes Labs, there are a few things that users should be aware of:

  • Adjustments to the sudoers file can be reversed, but making the wrong changes will cause serious problems.
  • Bad certificates in the System keychain should be removed using the Keychain Access application.
  • Legitimate command-line tools were installed with the malware, consisting of tens of thousands of files.

Beating this malware will be a major initiative and will take some time to achieve for any impacted user.

5. Prevention is Key

Rather than worrying about removal, Mac users should take the steps to prevent OSX/Dok from entering their systems in the first place. Organizations must teach employees proper techniques to identify and report malware schemes and suspicious emails. Look for misspellings and any messages with attached files sent from unfamiliar senders. Don’t click on any links or files that you don’t know.

Businesses should also follow a regular maintenance strategy. If users are impacted by malware, they can simply wipe their device and download their necessary resources from backups, avoiding information loss and breaches. Organizations can also leverage reboot-to-restore software to keep configuration settings consistent across users. This way, anything that was downloaded without approval will be removed, minimizing malware risk.

About The Author

Matt Williams

A self-proclaimed ‘tech geek’, Matt has worked in technology for a decade and divides his time between blogging and working in IT. A huge New York Giants fan, expert on Reboot Restore Technology when not watching football Matt gets his game on playing Call of Duty with his friends and other tech bloggers.

Sign Up For A 30-Day Trial


Deep Freeze Enterprise

Centralized deployment and management as well as a host of configuration options for the Enterprise.

  • This field is for validation purposes and should be left unchanged.

Ready to find out more about Faronics? Let us know how to reach you.

We're here to help you in any way possible.