OSX/Dok Mac Trojan

OSX/Dok: macOS Malware That Hijacks Network Traffic Using Proxy Redirection

OSX/Dok is a macOS malware first discovered in 2017, designed to intercept and monitor all encrypted network traffic by installing a malicious proxy configuration and custom root certificate. It spreads through phishing campaigns using fake document themes, tricking users into granting system-level permissions. OSX/Dok was one of the first examples of malware that could bypass macOS Gatekeeper protections and achieve full control over a Mac’s network communications.

Introduction to OSX/Dok

OSX/Dok masquerades as a legitimate file or installer, often with misleading names related to taxes, government, or shipping. Once installed, it gains administrative privileges, installs a man-in-the-middle (MitM) setup, and routes all web traffic through a proxy controlled by the attacker. This allows the malware to spy on emails, banking logins, or any HTTPS traffic — even if it's encrypted.

---

1. How OSX/Dok Works

Infection Mechanism:
OSX/Dok is delivered via:

• Phishing emails containing ZIP files or disguised documents
• Fake apps or installers that prompt the user for administrator credentials
• After installation, it creates persistence and immediately modifies network settings

Payload Execution:
Once active, OSX/Dok:

• Installs a malicious SSL certificate to intercept encrypted traffic
• Modifies network proxy settings to reroute all data through attacker-controlled servers
• Uploads system data to a command-and-control (C2) server
• Runs silently in the background with no visual indicators for the user

---

2. History and Notable Campaigns

Origin and Discovery:
OSX/Dok was first identified by Check Point researchers in April 2017. It was notable for being signed with a valid Apple developer certificate, allowing it to bypass macOS Gatekeeper at the time.

Notable Campaigns:

• Targeted European macOS users, particularly in Switzerland
• Delivered through phishing emails disguised as tax-related documents
• Apple later revoked the abused developer certificate to stop its spread

---

3. Targets and Impact

Targeted Victims and Sectors:

• Individual macOS users, especially those handling sensitive financial data
• Users in Europe, though the malware was technically capable of global impact
• Victims who opened attachments and granted admin permissions to unknown apps

Consequences:

• Complete network traffic compromise, including HTTPS interception
• Theft of banking credentials, login data, and sensitive communications
• Long-term privacy violations and data exposure
• Abuse of trust in Apple’s certificate system

---

4. Technical Details

Payload Capabilities:

• Installs and trusts a rogue certificate authority (CA) on the system
• Configures the system to route traffic through a malicious proxy
• Collects system info and sends it to a remote server
• Uses launch agents and cron jobs for persistence
• Deletes itself after initial setup to reduce visibility

Evasion Techniques:

• Was signed with a valid Apple developer ID at launch
• Disguised as a legitimate document or archive
• Operated quietly without affecting system performance noticeably
• Avoided use of common malware indicators to stay under the radar

---

5. Preventing OSX/Dok Infections

Best Practices:

• Avoid opening ZIP files or installers from unknown email senders
• Only install apps from the Mac App Store or verified developers
• Monitor for unexpected changes in network settings or certificates
• Disable admin privileges for regular daily accounts
• Use a browser extension or VPN that alerts on proxy tampering

Recommended Security Tools:

• Reputable macOS antivirus software with certificate and proxy monitoring
• Tools that audit LaunchAgents, certificates, and networking changes
• DNS-layer security to block traffic to known malicious C2 servers
• Endpoint protection that flags unusual configuration changes

---

6. Detecting and Removing OSX/Dok

Indicators of Compromise (IoCs):

• Presence of unauthorized root certificates in the keychain
• Proxy settings redirected to unknown IP addresses
• Launch agents located in ~/Library/LaunchAgents/ with suspicious names
• Log files or traffic indicating contact with known C2 domains

Removal Steps:

1. Reboot into Safe Mode
2. Remove unknown launch agents and persistence mechanisms
3. Delete the rogue certificate from Keychain Access
4. Reset proxy settings manually in System Preferences > Network
5. Run a malware scan to confirm full removal

Professional Help:
If sensitive data was accessed or if the infection occurred on a corporate device, contact incident response professionals for full remediation.

---

7. Response to a OSX/Dok Infection

Immediate Steps:

• Disconnect the system from the network
• Disable the proxy settings and remove the malicious certificate
• Check for secondary malware or data theft
• Change all passwords accessed during the infection window
• Report the incident to Apple or relevant authorities if applicable

---

8. Legal and Ethical Implications

Legal Considerations:
OSX/Dok’s man-in-the-middle behavior may lead to serious privacy violations, and infections involving credential theft could trigger breach reporting requirements. Legal implications also extend to any abuse of developer certificates.

Ethical Considerations:
The malware exploited users' trust in signed apps and macOS’s perceived safety, showing how technical legitimacy can be weaponized. It blurred the line between surveillance and outright theft by intercepting private communications.

---

9. Resources and References

• Check Point: OSX/Dok Discovery Report
• Apple Security Updates
• VirusTotal: Online Analysis Tools
• Objective-See: macOS malware analysis tools
• Intego, The Mac Security Blog: OSX/Dok Can Read Encrypted Web Traffic, Open a Backdoor
• MITRE ATT&CK Techniques:
  • T1553.002 (Subvert Trust Controls: Code Signing)
  • T1071.001 (Application Layer Protocol: Web Traffic)
  • T1553.004 (Subvert Trust Controls: Install Root Certificate)
  • T1112 (Modify Registry or Configuration)
  • S0281 (Malware: Dok)

---

10. FAQs about OSX/Dok

Q: What is OSX/Dok malware?
A macOS trojan that intercepts network traffic using a rogue certificate and proxy setup.

Q: How does it infect systems?
Through phishing emails with malicious ZIP files or disguised installers.

Q: What does it do once installed?
Reroutes encrypted traffic through attacker-controlled servers to monitor user activity.

Q: Can it be removed?
Yes, but it requires removing launch agents, restoring proxy settings, and deleting the malicious certificate.

---

11. Conclusion

OSX/Dok was one of the first macOS malware families to hijack encrypted traffic at scale, using trusted certificates and proxy manipulation to steal user data. It demonstrated that macOS users are not immune from sophisticated social engineering and that signed malware can still be dangerous when users grant elevated privileges. Awareness, system hygiene, and monitoring of hidden settings are key to preventing threats like this from taking hold.

 

 

« Back to the Virus Information Library

« Back to the Security Center