{ "id": "61f41f56-e978-4099-ab60-275f707e8591", "created_at": "2026-04-06T00:12:32.186141Z", "updated_at": "2026-04-10T03:24:30.004716Z", "deleted_at": null, "sha1_hash": "62010ec588eae5ec0cb4009facbcab3f17433c2c", "title": "OSX Malware is Catching Up, and it wants to Read Your HTTPS Traffic (updated)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54074, "plain_text": "OSX Malware is Catching Up, and it wants to Read Your HTTPS\r\nTraffic (updated)\r\nBy bferrite\r\nPublished: 2017-04-27 · Archived: 2026-04-02 10:41:26 UTC\r\nResearch by: Ofer Caspi\r\nPeople often assume that if you’re running OSX, you’re relatively safe from malware. But this is becoming less\r\nand less true, as evidenced by a new strain of malware encountered by the Check Point malware research team.\r\nThis new malware – dubbed OSX/Dok — affects all versions of OSX, has 0 detections on VirusTotal (as of the\r\nwriting of these words), is signed with a valid developer certificate (authenticated by Apple), and is the first major\r\nscale malware to target OSX users via a coordinated email phishing campaign.\r\nOnce OSX/Dok infection is complete, the attackers gain complete access to all victim communication, including\r\ncommunication encrypted by SSL. This is done by redirecting victim traffic through a malicious proxy server.\r\nThe malware mostly targets European users. For instance, one phishing message was observed to target a user in\r\nGermany by baiting the user with a message regarding supposed inconsistencies in their tax returns (see image,\r\nand translation, below).\r\n____\r\nUpdate – May-4-2017\r\nOur ongoing investigation of the OSX/DOK campaign have led us to detect several new variants of this malware.\r\nFollowing Apple’s revocation of the previous developer ID, it seems the attackers have quickly adapted and are\r\nnow using a new Apple developer ID.\r\nThese new variants also contain an extra obfuscated layer using UPX in an attempt to avoid security products\r\ndetection.\r\nApple has been notified about these new developments, and the new developer ID has now been revoked.\r\nCheck Point customers remain protected against these threats with the following detections:\r\nTrojan.OSX.DOK\r\nTrojan.OSX.DOK-Domain\r\nMac OSX/Dok Unauthorized Remote Access\r\nIOCs:\r\n3f0130cfd7bf61b8e8226dd4775319c7376a08ec019f9df12875e9ea55992e94\r\ncd93142f1e0bac1d73235515bc127f5f9634eafde0bea2d6c294bf3549d612b7\r\nhttps://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/\r\nPage 1 of 3\n\n4252e482c9801463e6f684c71f70cb64a17ae74957ed8986f2401c653acae1d7\r\n____\r\nTechnical details:\r\nThe malware bundle is contained in a .zip archive named Dokument.zip. It was signed on April 21th 2017 by a\r\n“Seven Muller” and the bundle name is Truesteer.AppStore.\r\nUpon execution, the malware will copy itself to the /Users/Shared/ folder, and will then proceed to execute itself\r\nfrom the new location by running the shell commands below:\r\nThen, the malware will pop-up a fabricated message claiming that “the package is damaged” and therefore cannot\r\nexecute:\r\nIf a loginItem named “AppStore” exists, the malware will delete it, and instead add itself as a loginItem, which\r\nwill persist in the system and execute automatically every time the system reboots, until it finishes to install its\r\npayload.\r\nThe malicious application will then create a window on top of all other windows. This new window contains a\r\nmessage, claiming a security issue has been identified in the operating system that an update is available, and that\r\nto proceed with the update, the user has to enter a password as shown in the picture below. The malware checks\r\nthe system localization, and supports messages in both German and English.\r\nThe victim is barred from accessing any windows or using their machine in any way until they relent, enter the\r\npassword and allow the malware to finish installing. Once they do, the malware gains administrator privileges on\r\nthe victim’s machine.\r\nUsing those privileges, the malware will then install brew, a package manager for OS X, which will be used to\r\ninstall additional tools – TOR and SOCAT\r\nTor, the latter is a low-level command-line utility that allows connection to the dark web.\r\nThe malware will then give the current user admin privileges immediately on demand without prompting for a\r\npassword. This is done so that the malware won’t provoke constant admin password prompts when abusing its\r\nadmin privileges with the sudo command. This is done by adding the following line to /etc/sudoers:\r\nThe malware then changes the victim system’s network settings such that all outgoing connections will pass\r\nthrough a proxy, which is dynamically obtained from a Proxy AutoConfiguration (PAC) file sitting in a malicious\r\nserver. The script that makes this configuration changes can be seen below:\r\nThen resulting change can be seen in the Network Settings:\r\nThe malware will then proceed to install a new root certificate in the victim system, which allows the attacker to\r\nintercept the victim’s traffic using a Man in The Middle (MiTM) attack. By abusing the victim’s new-found trust\r\nin this bogus certificate, the attacker can impersonate any website, and the victim will be none the wiser. The new\r\ncertificate is installed using the following command:\r\nhttps://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/\r\nPage 2 of 3\n\nThe newly-installed certificate can be seen in the two images below.\r\nThe malware will also install 2 LaunchAgents that will start with system boot, and have the following names:\r\nThese LaunchAgents will redirect requests to 127.0.0.1 through the dark web address\r\n“paoyu7gub72lykuk.onion“. This is necessary for the previous PAC configuration to work (note that the original\r\nconfiguration looks for the PAC file on the local host 127.0.0.1).\r\nThese LaunchAgents consist of the following BASH commands:\r\nAs a result of all of the above actions, when attempting to surf the web, the user’s web browser will first ask the\r\nattacker web page on TOR for proxy settings. The user traffic is then redirected through a proxy controlled by the\r\nattacker, who carries out a Man-In-the-Middle attack and impersonates the various sites the user attempts to surf.\r\nThe attacker is free to read the victim’s traffic and tamper with it in any way they please.\r\nWhen done, the malware will delete itself.\r\nAll is left to say: beware of Trojans bearing gifts, especially if they ask for your root password.\r\nIOCs\r\nSample hash – 7819ae7d72fa045baa77e9c8e063a69df439146b27f9c3bb10aef52dcc77c145\r\n4131d4737fe8dfe66d407bfd0a0df18a4a77b89347471cc012da8efc93c661a5\r\nLaunchAgent :\r\nCheck Point Protections\r\nTrojan.OSX.DOK\r\nDOK\r\nSource: https://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/\r\nhttps://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/" ], "report_names": [ "osx-malware-catching-wants-read-https-traffic" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434352, "ts_updated_at": 1775791470, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/62010ec588eae5ec0cb4009facbcab3f17433c2c.pdf", "text": "https://archive.orkl.eu/62010ec588eae5ec0cb4009facbcab3f17433c2c.txt", "img": "https://archive.orkl.eu/62010ec588eae5ec0cb4009facbcab3f17433c2c.jpg" } }