{
	"id": "44a6d43b-23d6-4700-92d7-8780e42b17e9",
	"created_at": "2026-04-06T00:22:08.015321Z",
	"updated_at": "2026-04-10T13:12:03.075517Z",
	"deleted_at": null,
	"sha1_hash": "49af499f12319af2caec4d79b38bfe0d2e29c5f4",
	"title": "New OSX.Dok malware intercepts web traffic | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 320928,
	"plain_text": "New OSX.Dok malware intercepts web traffic | Malwarebytes Labs\r\nBy Thomas Reed\r\nPublished: 2017-04-27 · Archived: 2026-04-05 18:46:04 UTC\r\nMost Mac malware tends to be unsophisticated. Although it has some rather unpolished and awkward aspects, a\r\nnew piece of Mac malware, dubbed OSX.Dok, breaks out of that typical mold.\r\nOSX.Dok, which was discovered by Check Point, uses sophisticated means to monitor—and potentially alter—all\r\nHTTP and HTTPS traffic to and from the infected Mac. This means that the malware is capable, for example, of\r\ncapturing account credentials for any website users log into, which offers many opportunities for theft of cash and\r\ndata.\r\nFurther, OSX.Dok could modify the data being sent and received for the purpose of redirecting users to malicious\r\nwebsites in place of legitimate ones.\r\nDistribution method\r\nOSX.Dok comes in the form of a file named Dokument.zip, which is found being emailed to victims in phishing\r\nemails. Victims primarily are located in Europe.\r\nIf the victim falls for the scam, the ZIP file decompresses into a file named “Dokument”, which (oddly) has been\r\ngiven the same icon as older versions of Apple’s Preview app. This is not the same as an icon given to a document\r\nthat can be opened by Preview. Plus, the icon is oddly pixelated, which should raise some red flags among alert\r\nusers.\r\nBehavioral analysis\r\nThis “document” is, of course, actually an application. Fortunately, when the user attempts to open this app, the\r\nmacOS will display a standard notification to warn the user of that fact:\r\nApple has already revoked the certificate used to sign the app, so, at this point, anyone who encounters this\r\nmalware will be unable to open the app and unable to be infected by it.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/\r\nPage 1 of 5\n\nIf the user clicks past this warning to open the app, it will display a warning that the file could not be opened,\r\nwhich is simply a cover for the fact that no document opened:\r\nInterestingly, this window cannot be dismissed, as the OK button does not respond. Further, the app will remain\r\nstuck in this mode for quite some time. If the user becomes suspicious at this point and attempts to force quit the\r\napp, it will not show up in the Force Quit Applications window and in Activity Monitor, it will appear as\r\n“AppStore.”\r\nIf the user manages to force this “AppStore” app to quit, however, all is not yet okay. The malware dropper will\r\nhave copied itself onto the /Users/Shared/ folder and added itself to the user’s login items so it will re-open at the\r\nnext login to continue the process of infecting the machine.\r\nAfter several minutes, the app will obscure the entire screen with a fake update notification.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/\r\nPage 2 of 5\n\nThis will remain stubbornly on the screen and will come back on restart since the malware is in the user’s login\r\nitems. If the user clicks the Update All button, the malware will request an admin password.\r\nThe malware will remain in this mode for quite some time, leaving the computer unusable to the user until it\r\ncompletes. This is quite different from any normal macOS update process and anyone who is intimately familiar\r\nwith macOS will know that something is wrong, but those who don’t know better could easily be fooled into\r\nthinking this is a normal procedure for an important security update.\r\nOnce the user has provided an admin password, the malware makes a change to the /private/etc/sudoers file,\r\nwhich controls access to the sudo command in the Unix shell. A line like the following is added to the end of the\r\nsudoers file:\r\ntest ALL=(ALL) NOPASSWD: ALL\r\nThis line specifies that the indicated user—”test” in this case—is allowed to use sudo without the need for a\r\npassword, ensuring that the malware is able to have continued root-level permission without continuing to request\r\nfor an admin password.\r\nMeanwhile, there is a very good reason for the lengthy install time: OSX.Dok will be busy using its ill-gotten root\r\nprivileges to install all manner of software in the background, including macOS command-line developer tools,\r\nwhich are needed for the other tools it will install.\r\nThe malware will also install Homebrew, a command-line installation system. Homebrew will, in turn, be used to\r\ndownload and install other tools, including tor and socat. The malware will use these processes to funnel all HTTP\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/\r\nPage 3 of 5\n\nand HTTPS traffic through a malicious proxy server.\r\nTwo files will be installed in the user’s LaunchAgents folder to redirect this traffic. The first of these,\r\nnamed com.apple.Safari.pac.plist has the following contents:\r\n KeepAlive Label com.apple.Safari.pac ProgramArguments /usr/local/bin/socat tcp4-LISTEN\r\nThe second, named com.apple.Safari.proxy.plist, has the same contents, except that it uses port 5588 in place of\r\nports 5555 and 80.\r\nAs an added kick in the pants, OSX.Dok installs a new trusted root certificate in the system with the name\r\n“COMODO RSA Extended Validation Secure Server CA 2.” Using this certificate, it can impersonate any website\r\nconvincingly, as part of the process of tampering with web traffic.\r\nOnce all this is complete, the malware deletes itself from /Users/Shared/, leaving behind few obvious signs of its\r\npresence. The LaunchAgents folder is the only change that is likely to be noticed by some users, and many will not\r\nunderstand that these .plist files are not actually associated with Apple.\r\nRemoval\r\nRemoval of the malware can be accomplished by simply removing the two aforementioned LaunchAgents files,\r\nbut there are many leftovers and modifications to the system that cannot be as easily reversed. Changes to the\r\nsudoers file should be reversed and a knowledgeable user can easily do so using a good text editor (like BBEdit),\r\nbut making the wrong changes to that file can cause serious problems.\r\nA LaunchAgents file named homebrew.mxcl.tor.plist will have also been installed. Since this is a legitimate file, it\r\nshouldn’t be detected as malicious, but people who didn’t have this installed already should remove it.\r\nThe bad certificate should be removed from the System keychain using the Keychain Access application (found in\r\nthe Utilities folder in the Applications folder.)\r\nThe numerous legitimate command-line tools installed, consisting of tens of thousands of files, cannot be easily\r\nremoved.\r\nUpdate: Some subsequent variants of Dok have also modified the /etc/hosts file. That should be restored from a\r\nbackup, or manually edited to revert it to the normal state.\r\nConsumers\r\nMalwarebytes Anti-Malware for Mac will detect the important components of this malware as OSX.Dok,\r\ndisabling the active infection. However, when it comes to the other changes that are not easily reversed, which\r\nintroduce vulnerabilities and potential behavior changes, additional measures will be needed. For people who\r\ndon’t know their way around in the Terminal and the arcane corners of the system, it would be wise to seek the\r\nassistance of an expert, or erase the hard drive and restore the system from a backup made prior to infection.\r\nBusinesses\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/\r\nPage 4 of 5\n\nThe impact on business could be much more severe, as it could expose information that could allow an attacker to\r\ngain access to company resources. For example, consider the potential damage if, while infected, you visited an\r\ninternal company page that provided instructions for how to connect to the company VPN and access internal\r\ncompany services. The malware would have sent all that information to the malicious proxy server.\r\nIf you have been infected by this malware in a business environment, you should consult with your IT\r\ndepartment, so they can be aware of the risks and begin to mitigate them.\r\nThomas Reed\r\nAbout the author\r\nHad a Mac before it was cool to have Macs. Self-trained Apple security expert. Amateur photographer.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/"
	],
	"report_names": [
		"new-osx-dok-malware-intercepts-web-traffic"
	],
	"threat_actors": [],
	"ts_created_at": 1775434928,
	"ts_updated_at": 1775826723,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/49af499f12319af2caec4d79b38bfe0d2e29c5f4.pdf",
		"text": "https://archive.orkl.eu/49af499f12319af2caec4d79b38bfe0d2e29c5f4.txt",
		"img": "https://archive.orkl.eu/49af499f12319af2caec4d79b38bfe0d2e29c5f4.jpg"
	}
}