May 4, 2017
Research by: Ofer Caspi
Our ongoing investigation of the OSX/DOK campaign has led us to detect several new variants of this malware.
These new variants have the same functionality as the previous ones, and are designed to give the attackers complete access to all victim communications. This includes communication encrypted by SSL, by redirecting the victims’ traffic through a malicious proxy server.
Following Apple’s revocation of the previous developer ID, it appears that the attackers have quickly adapted and have begun using a new Apple developer ID.
The attackers seems to have quickly adapted to Apple’s revocation of their previous developer ID, by signing these new variants with a new developer ID and by adding an extra layer of obfuscation used to avoid Anti-Virus detections.
Following these changes, the new OSX/DOK variants only have a single detection on Virus Total (at the time of this publication).
Apple has been notified about these new developments, and the new developer ID has now been revoked.
Check Point customers remain protected against these threats with the following detections: