Unfortunately, too many macOS users fall under the illusion that Macs are immune to malware. OSX.Dok malware is distributed via a phishing campaign and is able to compromise all the victim’s internet traffic, even if it’s SSL encrypted. Once the malware starts capturing the user’s traffic, it then connects to a server on the Dark Net, ltro3fxssy7xsqgz.onion and begins exfiltrating user data. The malware writes multiple Apple domain names into the local hosts file so that connections to these get redirected to 127.0.0.1. OSX.Dok installs homebrew and a hidden version of Tor, along with several other utilities to enable stealth communication. Our investigation of the sample led us to discover the attacker’s servers, which held logs of infected victims, with new victims appearing in the logs on a daily basis. We first spotted a new variant of OSX.Dok on January 9th during a routine search of samples on VirusTotal. In this post, we update you on the outbreaks we’ve seen so far in the first 6 months of 2019.
New variants of old families, updated with fresh tricks as well as some novel malware never-before seen in the wild, both nation-state backed APTs and criminal gangs are increasingly targeting macOS users. `Since we did our end of year review of macOS malware last December, we’ve seen an uptick in the number of new macOS malware outbreaks.
