Computer Service / Network Integration / Performance Tuning

Home » Major Scale Mac Malware on the Loose

Major Scale Mac Malware on the Loose

Well, it really was only a matter of time before the virus writers turned their attention to the venerable Apple platform.  Up until now, there have really only been “proof of concept” viruses that attack the Mac OS.  There have been a few mass-distribution infections, but for the most part those only attacked users downloading pirated software.  So it was basically Karma.

But in the immortal words of Jacques Clouseau:

“Not Anymore!”

There’s a new Trojan in town and it is extremely destructive.

The OSX/Dok Trojan will ruin your life – and your beloved Mac, just like all the myriad Windows based malware has been doing to the Microsoft camp for the last 2 decades.  Remember the Michelangelo virus?  Bueller?  Bueller?  Anyone?  Anyone?  It was one of the early mass-scale infections that just flat out destroyed all your data on Michelangelo’s birthday.  Since then, the ante has been raised considerably with Ransomware.  But up until right now, Mac users were justified in being smug about their relative invulnerability.


Not Anymore.

This is the first Major Scale malware to attack OSX and MacOS.

Most current anti-malware / antivirus products DO NOT Detect This Trojan.

OSX/Dok has so far been distributed in Europe via phishing emails alleging there are inconsistencies in the target’s tax return.  That most likely will not be a limitation for long.

It is not detected by the Mac Gatekeeper, as its digital signature is considered legitimate.  Normally, Gatekeeper would keep something like this from running, which is why OSX has been relatively invulnerable to infection for so long.  OSX/Dok has cleverly circumvented the Gatekeeper function.

The malware bundle is contained in a .zip archive named Dokument.zip. It was signed on April 21th 2017 by a “Seven Muller” and the bundle name is Truesteer.AppStore.

Upon execution, the malware will copy itself to the /Users/Shared/ folder, and will then proceed to execute itself from the new location by running shell commands.

It forces the user to download and install a bogus update.  Unless you accede to its demands, your computer is completely unusable.

Once the payload is installed, all your external communication is forwarded through a remote proxy server, so your web surfing and email is being handed off to a bogus server.  The attacker has total control of your computer.

Currently, your best protection is to NEVER download / open an email attachment you cannot absolutely verify in advance.

Remember:  “Most current anti-malware / antivirus products DO NOT Detect This Trojan.”  Therefore, your only protection is to be extremely careful what emails you open and download from.

Read the full article on this topic by Check Point.

Name of author

Name: Wizard

Short Bio: The Computer Wizard (TCW). TCW was founded by Warren P. Harris in 1994 to service and repair computers in the San Francisco Bay Area. Relocating the business to Plano, Texas in 1999, TCW continued to flourish when an unfortunate loss of data for a wedding Mr. Harris photographed, caused him to research data recovery options. Realizing he would have to either pay someone to recover the photos or find out how to do it himself, the rest, as they say "is history". Approached by a friend who was a Private Investigator in 2006, Mr. Harris studied for his Investigator's license and began honing his skills in Computer Forensics. The company was renamed DFW Computer Integration in 2015.

Leave a Reply