Our ongoing investigation of the OSX/DOK campaign has led us to detect several new variants of this malware.

These new variants have the same functionality as the previous ones, and are designed to give the attackers complete access to all victim communications. This includes communication encrypted by SSL, by redirecting the victims’ traffic through a malicious proxy server.

Following Apple’s revocation of the previous developer ID, it appears that the attackers have quickly adapted and have begun using a new Apple developer ID.

The attackers seems to have quickly adapted to Apple’s revocation of their previous developer ID, by signing these new variants with a new developer ID and by adding an extra layer of obfuscation used to avoid Anti-Virus detections.

Following these changes, the new OSX/DOK variants only have a single detection on Virus Total (at the time of this publication).

Apple has been notified about these new developments, and the new developer ID has now been revoked.

Check Point customers remain protected against these threats with the following detections:

  • Trojan.OSX.DOK
  • Trojan.OSX.DOK-Domain
  • Mac OSX/Dok Unauthorized Remote Access

 

IOCs:

3f0130cfd7bf61b8e8226dd4775319c7376a08ec019f9df12875e9ea55992e94

cd93142f1e0bac1d73235515bc127f5f9634eafde0bea2d6c294bf3549d612b7

4252e482c9801463e6f684c71f70cb64a17ae74957ed8986f2401c653acae1d7