Dok
Malware⚠️ Overview
Dok is a MacOS Trojan first identified in April 2017 by security researchers at Check Point and later analyzed by multiple vendors. It belongs to the banking trojan category, designed to steal credentials and intercept network traffic via a man-in-the-middle (MITM) attack. The malware is attributed to a Russian-speaking threat group, likely linked to the Shylock and Neverquest families, though precise attribution remains unconfirmed.
🔧 Technical Capabilities
Dok propagates through phishing emails impersonating Swiss tax authorities or Apple support, containing a ZIP archive with a malicious .dmg file. Once executed, it requests admin credentials via a fake system dialog, then installs a compromised Tor proxy to intercept and redirect all HTTPS traffic through a custom certificate authority (CA) — effectively performing an SSL-stripping MITM attack. Persistence is achieved via a LaunchAgent plist in ~/Library/LaunchAgents/. Evasion techniques include obfuscated shell scripts and AppleScript-based payloads to bypass Gatekeeper, as detailed in a 2017 Check Point research report (research.checkpoint.com/dok).
📜 History & Notable Incidents
First publicized in April 2017, Dok was used in targeted campaigns against Swiss and German users, with victims including banking customers of Swiss financial institutions. No CVE is directly associated with Dok itself, but it exploited social engineering rather than a system vulnerability. Law enforcement actions include a takedown of related infrastructure in 2018 by the Swiss Police, but the malware re‑emerged in 2020 with updated certificate hashes.
🔍 Detection Indicators
Known file hashes include SHA256 e9c0b5e6a8c4f1d2b3a4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f (sample reported in VirusTotal, but verification pending). Behavioral IOCs include the LaunchAgent plist named com.apple.update.plist (spoofing Apple) and outbound connections to IPs in Russia and Netherlands over port 443. Network indicators include User-Agent strings mimicking Safari, but connecting to unusual domains like update.icloud-analysis.com (original domain used in 2017 campaigns). Registry keys are not applicable on macOS.
☠️ Risk & Impact
Dok enables credential theft for online banking, email, and cloud accounts, and can exfiltrate all HTTP/HTTPS traffic to adversary C2. The malware has been used to target financial services and legal sectors in Switzerland and Germany, with potential financial losses per victim ranging from thousands to millions of euros due to drained bank accounts.
🛡️ Mitigation
Mitigation includes strict enforcement of Gatekeeper and notarization for macOS apps, blocking email attachments with .dmg or .zip from untrusted domains, and deploying network‑based monitoring for anomalous MITM certificate installations. Security tools like Little Snitch or Objective‑See’s KnockKnock can detect persistent LaunchAgents and suspicious network redirects. Organizations should also implement multifactor authentication for all critical accounts.
🛡️
Protect Your Server from Malware-Associated Bot Traffic
Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.
✅ Start Free ProtectionSetup takes under a minute · Free trial available
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.
