Dok

Dok is a notable piece of malware first discovered by security researchers at CheckPoint, who found that it primarily targets OSX users through an extensive email phishing campaign. This marked the first instance of large-scale malware aimed specifically at OSX users via this method. The malware is essentially a Mac version of the Windows banking trojan 'Retefe'. It infiltrates systems when unsuspecting users launch it, often unknowingly, from their emails. Once Dok has been launched, it executes logic to persist as a Login Item. This persistence allows the malware to automatically run each time the user logs into their system, increasing its potential for damage and making it harder to detect and remove. To achieve this, Dok invokes the AddLoginScript method, utilizing AppleScript to create the Login Item. This sophisticated approach ensures the malware's continuous presence in the infected system. In a further step to ensure its survival and effectiveness, Dok attempts to elevate its privileges within the system. It does this by displaying a fake full-screen update window that contains a single 'Update All' button. When users click on this button, thinking they are performing a routine system update, they are unknowingly granting the malware elevated access. This allows Dok to persist its payload, further compromising the user's system and potentially leading to data theft, disruption of operations, or ransom demands.