Threat Management, Malware, Phishing, Vulnerability Management

New ‘Dok’ dropper variant found, even after Apple revokes cert for Mac malware

A Malwarebytes researcher on Monday discovered a new variant of the "Dokument.app" dropper that was recently found delivering OSX/Dok Mac malware capable of intercepting infected machines' HTTPS communications. This new version delivers a Python-based open-source backdoor called Bella, but Apple has already neutralized the by reportedly revoking the ill-gotten certificate adversaries had been using to distribute the malware in a Euro-centric phishing campaign.

"Of course, since the code signing certificate on the Dokument.app dropper for this malware has been revoked, no one can be newly infected by this particular variant of this malware at this point," Malwarebytes reported in a blog post this week. "However, since Bella is open-source and surprisingly powerful for a Python script, it's quite likely it will be dropped by other malicious installers in the future."

According to Malwarebytes, the backdoor Bella connects to a command-and-control server based in Moscow and was created by an author known on GitHub as "Noah," who has a penchant for attacking MacOS systems with Python scripts. Bella's capabilities include exfiltrating iMessage and SMS chat transcripts, locating devices via Find My iPhone and Find my Friends, phishing passwords, exfiltrating the keychain, capturing microphone and webcam data, grabbing screenshots, remote shell and screen sharing, and escalating root privileges via exploits or social engineering.

Malwarebytes researcher Adam Thomas is credited with discovering the new Dokument.app dropper, which takes the form of a malicious zipped app disguised as a document. Unlike the version that dropps OSX/Dok, this variant does not display a fake “OS X Updates Available” window when it is installed. Instead, it simply closes and deletes itself.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.