{
	"id": "4d3c83f8-2d95-493d-8df3-c2831feefda1",
	"created_at": "2026-04-21T02:18:39.23961Z",
	"updated_at": "2026-04-21T02:20:18.23538Z",
	"deleted_at": null,
	"sha1_hash": "79a568ce5070cfb16af05eb047a367d0d86d4e53",
	"title": "OSX/Dok Refuses to Go Away and It’s After Your Money",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56109,
	"plain_text": "OSX/Dok Refuses to Go Away and It’s After Your Money\r\nBy bferrite\r\nPublished: 2017-07-13 · Archived: 2026-04-21 02:06:37 UTC\r\nResearch by: Ofer Caspi\r\nFollowing up on our recent discovery of the new OSX/Dok malware targeting macOS users, we’d like to report\r\nthat the malicious actors behind it are not giving up yet. They are aiming at the victim’s banking credentials by\r\nmimicking major bank sites. The fake sites prompt the victim to install an application on their mobile devices,\r\nwhich could potentially lead to further infection and data leakage from the mobile platform as well.\r\nIn the last few weeks, we’ve seen a surge in the OSX/Dok samples, as the attackers are purchasing dozens of\r\nApple certificates to sign on the application bundle and bypass GateKeeper (see details below). Apple is\r\nconstantly revoking the compromised certificates as we’re informing them of the ones we identify, however new\r\nones appear on a daily basis.\r\nThe OSX/Dok malware is distributed via a phishing campaign, which is usually not a new or surprising attack\r\nvector, however this time it targets specifically macOS users, who are mostly perceived as malware-proof. This\r\nphishing campaign is combined with a MiTM attack, allowing complete access to all victim communication, even\r\nif it’s SSL encrypted.\r\nNew details on OSX/Dok obfuscation techniques\r\nWhile the attack vector is still the same, victims receive a phishing mail with the malicious application attached as\r\na zip file, the malware has mutated, making its detection and removal more difficult. Here are the main techniques\r\nit uses for this purpose:\r\nDisabling security updates\r\nThe malware modifies OS settings to disable security updates. Here is the shell command the malware executes in\r\norder to achieve this:\r\nIn addition, it modifies the local host file in a way that prevents the victim and some Apple services to\r\ncommunicate outside by adding lines to the hosts file:\r\nsudo echo “127.0.0.1 localhost\r\n255.255.255.255 broadcasthost\r\n::1             localhost\r\n127.0.0.1 metrics.apple.com\r\n127.0.0.1 ocsp.apple.com\r\nhttps://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/\r\nPage 1 of 5\n\n127.0.0.1 su.itunes.apple.com\r\n127.0.0.1 ax.su.itunes.apple.com\r\n127.0.0.1 swscan.apple.com\r\n127.0.0.1 swcdn.apple.com\r\n127.0.0.1 swdist.apple.com\r\n127.0.0.1 a1.phobos.apple.com\r\n…….\r\n…….. many more….\r\n…….\r\n127.0.0.1 volume.apple.com\r\n127.0.0.1 war.apple.com\r\n127.0.0.1 www1.apple.com\r\n127.0.0.1 wwwtest.apple.com\r\n127.0.0.1 xml.apple.com\r\n127.0.0.1 xp.apple.com\r\n127.0.0.1 xp2.apple.com\r\n127.0.0.1 virustotal.com\r\n127.0.0.1 www.virustotal.com” \u003e /private/etc/hosts\r\nThis way all communication attempts to the hosts listed on the file are redirected to the local machine, blocking all\r\ntraffic of the infected computer from reaching Apple websites or VirusTotal – a free online service that analyzes\r\nfiles and URLs enabling the identification of viruses, worms, trojans and other types of malware.\r\nSigning the malware with Apple certificates\r\nThe perpetrators are willing to pay for Apple certificates ($99 each) in order to sign on the application bundle, thus\r\nobfuscating its malicious intent. An application signed by a legitimate Apple developer certificate will bypass\r\nGateKeeper – a security feature in macOS that aims to prevent installation of unsigned application in the system\r\nwith its default settings.\r\nHere is an example of a signature used by the malicious OSX/Dok bundle from recent days:\r\nhttps://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/\r\nPage 2 of 5\n\nAlso, the malware authors keep naming the application bundle similar to the ones used by Apple, such as\r\n“App1e.AppStore” or “iTunes.AppStore”, trying to make it look more credible.\r\nLocation based attack tailoring\r\nAfter installing a TOR service, for communication with the command and control over the dark web, and proxy,\r\nthe malware geo-locates the victim according to IP, and then possibly serves them appropriate proxy file settings\r\naccording to location. Some IPs  were not served at all, as it seems that the malware targets mainly European\r\nresidents.\r\nHere are the proxy settings for a victim using a Swiss IP:\r\nAs we can see, the proxy file will redirect all traffic to the mentioned domains, used mainly by banks (such as\r\n‘credit-suisse’, ‘globalance-bank’, ‘cbhbank’, etc.) or other financial entities, to the local proxy that the malware\r\nhad set up on the local machine. The proxy will then redirect it to the malicious C\u0026C server on TOR (currently is\r\n“m665veffg3tqxoza.onion”). This way, once the victim tries to visit any of the listed sites, they will be redirected\r\nto a fake website on the attacker’s C\u0026C server.\r\nOSX/Doc operational flow example\r\nAfter attempting to visit credit-suisse.com, we are greeted with the page below which notifies us of the need to\r\ninstall a mobile phone application for security reasons (the original message is in German):\r\nUpon hitting the “ok” button the login page appears. Note the differences between the fake login page and the\r\noriginal one:\r\nFake page from an infected machine\r\nOriginal Page\r\nHere are the main discrepancies to be aware of:\r\nWrong years of copyright – the C\u0026C server is probably using an old snapshot of the “Credit-Suisse”\r\nbank site from 2013 (appears in the left bottom side of the page).\r\nMissing the original Credit-Suisse SSL certificate – there was no alert on that because the malware\r\ninstalled a fake certificate in the root chain; however it is possible to note that the fake certificate is\r\ngeneral.\r\nMissing auth token in the URL – token based authentication ensures each request to a server is\r\naccompanied by a signed token which the server verifies and only then responds. In this case, there’s no\r\ntoken as the communication is with the C\u0026C server and not with the real one.\r\nUpon entering their credentials, the victim is met with a page asking for their favored method of authentication:\r\nAfter choosing “SMS” (other options do not seem to be viable) the victim is prompted to download and install the\r\nmobile application of which they were notified earlier, via a link that is sent to their mobile device (which they’re\r\nrequested to provide):\r\nhttps://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/\r\nPage 3 of 5\n\nAfter the paragons of customer service, the attackers offer a direct application download via QR code in case the\r\nSMS message was not received:\r\nWe were surprised to discover that at this point of time the attackers use this process to install “Signal”, a\r\nlegitimate messenger application. Remember this could change at any moment if the hackers decide they want to\r\ntarget the victim’s mobile device as well and install a mobile malware.\r\nThe reasoning behind installing a messenger application on the victim’s device is not entirely clear. One\r\npossibility is that the installation is used as a method to bypass the two factor (2FA) authentication – often a part\r\nof the registration process to access a banking site. In this case the user usually receives an SMS message with a\r\npassword (OTP – One Time Password) that is valid only for a very short period of time and has to be entered\r\nbefore access is granted. However, had the attacker been active at the bank’s site in parallel to the user activities at\r\nthe fake site, it would have been possible to bypass the 2FA without the application since the attacker would use\r\nthe password that the user had just punched in and would manage to get through to the site.\r\nIn light of this, it is possible that Signal installed on the victim’s mobile device would allow the attacker to\r\ncommunicate with the victim at a later stage, as the perpetrator is not necessarily active at the same time the\r\nvictim reaches for the banking site. Using Signal may make it easier for the attacker to masquerade as the bank\r\nand trick the victim into providing the SMS they had received from the real bank , when the attacker tries to log in\r\nto the site (in case the credentials alone are not enough due to the 2FA). Similarly, the perpetrator might use Signal\r\nto commit additional fraudulent activities against victim at a later time. Whatever the goal may be, Signal will\r\npossibly make it harder for law enforcement to trace the attacker.\r\nAlternatively, the perpetrator might be using Signal temporarily, to acquire install rate statistics and prove the\r\nmethod is working, while planning to install a malicious mobile application with future victims at a later time.\r\nIn any case, upon successful completion of this operational flow, the attacker gains access to the victim’s bank\r\naccount and gets to carry out some bank transactions, though probably not the ones the victim had in mind.\r\nSimilarity to the “Retefe” malware\r\nAfter we posted our previous report about OSX/Dok, we were notified by a fellow researcher about the\r\nsimilarities between OSX/Dok and “Retefe”, which is a banking Trojan known for several years, mostly active on\r\nWindows platform. After further investigation we can, indeed, conclude that OSX/Dok is the same malware\r\nported from Windows.\r\nConclusion\r\nUnfortunately, the OSX/Dok malware is still on the loose and its owners continue to invest more and more in its\r\nobfuscation by using legitimate Apple certificates.\r\nThe fact that the OSX/Dok is ported from Windows may point to a tendency. We believe more Windows malware\r\nwill be ported to macOS, either due to the lower number of quality security products for macOS compared to the\r\nones for Windows, or the rising popularity of Apple computers. According to Gartner, Macs have more than\r\ntripled their total market share in less than a decade.\r\nhttps://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/\r\nPage 4 of 5\n\nMeanwhile, we will continue to raise awareness to the various malware activities and modus operandi and arm the\r\nusers with the required information to stay safe from the ever-evolving fraudulent attacks.\r\nSource: https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/\r\nhttps://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/"
	],
	"report_names": [
		"osxdok-refuses-go-away-money"
	],
	"threat_actors": [],
	"ts_created_at": 1776737919,
	"ts_updated_at": 1776738018,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/79a568ce5070cfb16af05eb047a367d0d86d4e53.pdf",
		"text": "https://archive.orkl.eu/79a568ce5070cfb16af05eb047a367d0d86d4e53.txt",
		"img": "https://archive.orkl.eu/79a568ce5070cfb16af05eb047a367d0d86d4e53.jpg"
	}
}