New ‘Dok’ dropper variant found, even after Apple revokes cert for Mac malware

A Malwarebytes researcher on Monday discovered a new variant of the "Dokument.app" dropper that was recently found delivering OSX/Dok Mac malware capable of intercepting infected machines' HTTPS communications. This new version delivers a Python-based open-source backdoor called Bella, but Apple has already neutralized the by reportedly revoking the ill-gotten certificate adversaries had been using to distribute the malware in a Euro-centric phishing campaign.

"Of course, since the code signing certificate on the Dokument.app dropper for this malware has been revoked, no one can be newly infected by this particular variant of this malware at this point," Malwarebytes reported in a blog post this week. "However, since Bella is open-source and surprisingly powerful for a Python script, it's quite likely it will be dropped by other malicious installers in the future."

According to Malwarebytes, the backdoor Bella connects to a command-and-control server based in Moscow and was created by an author known on GitHub as "Noah," who has a penchant for attacking MacOS systems with Python scripts. Bella's capabilities include exfiltrating iMessage and SMS chat transcripts, locating devices via Find My iPhone and Find my Friends, phishing passwords, exfiltrating the keychain, capturing microphone and webcam data, grabbing screenshots, remote shell and screen sharing, and escalating root privileges via exploits or social engineering.

Malwarebytes researcher Adam Thomas is credited with discovering the new Dokument.app dropper, which takes the form of a malicious zipped app disguised as a document. Unlike the version that dropps OSX/Dok, this variant does not display a fake “OS X Updates Available” window when it is installed. Instead, it simply closes and deletes itself.