Security researchers from Check Point have discovered a new Mac malware family that uses nag screens to obtain admin privileges, Tor to hide traffic diverted to a remote proxy, and a rogue certificate to intercept encrypted browser traffic.

According to researchers, this new malware has been seen targeting European users using a wave of spam emails. The emails, perpetrating to bring inconsistencies with tax returns to the user's attention have been seen targeting German-speaking users.

The emails contain a file attachment named Dokument.zip, which unzips to an app named Truesteer.AppStore. When executed, this app will copy itself to another location on the user's PC, delete the original, and show an error message informing the user the document couldn't be opened.

Dok uses Android-like nag screens

At this point, the malware's installation is only midway, and to make sure the process finishes successfully, the malware, which researchers named OSX/Dok, will add a new loginItem to the user's Mac named AppStore. The purpose of this loginItem is to make sure the installation process continues after the user reboots his Mac.

The next stage in the installation process is to show nag screens, urging users to install an urgent security update. In reality, the goal is to obtain the user's admin password, which the malware will use later to execute various commands behind the user's back.

The usage of a nag screen to obtain admin privileges is commonly seen on Android devices. Just like with Android malware, the Dok nag screen will appear at regular intervals until the user caves in and gives it his password. The loginItem ensures the nag screen will appear after reboots.

Dok's nag screen
Dok's nag screen [Source: Check Point]

Once Dok obtains a victim's admin password, it will use it to install the Brew package manager, and then install the Tor client and the Socat networking utility.

Malware funnels all traffic through a remote proxy

The malware then downloads a PAC (Proxy AutoConfiguration) file and uses it to relay all the user's traffic through a proxy. At first, the proxy isn't immediately visible, as all traffic is sent to a localhost URL.

In reality, the malware sets up a local server and directs that localhost URL to a Dark Web link. In the first Dok version researchers spotted, this Dark Web URL was located at paoyu7gub72lykuk.onion.

Dok's proxy settings
Dok's proxy settings [Source: Check Point]

But the malware isn't done. The last step is to install a new root certificate on the user's Mac. Dok then uses this certificate to perform man-in-the-middle (MitM) attacks.

The purpose of this complex installation chain is to give the attacker the ability to intercept any of the user's traffic, encrypter or non-encrypted, and inject his own content into those pages, or deliver new pages altogether.

Security experts spotted Dok for the first time on April 21, and at the time of its discovery, Dok had a 0% detection rate on VirusTotal. In the meantime, detections have gotten better [1, 2].