Friday, May 30, 2025
HomeMalwareNew OSX/Dok Malware Targeting macOS Users to Steal Banking Credentials by Cloning...

New OSX/Dok Malware Targeting macOS Users to Steal Banking Credentials by Cloning Major Bank Websites

Published on

SIEM as a Service

Follow Us on Google News

A New MacOS Malware “OSX/Dok” Discovered to Steal Banking Credentials by cloning major Banking website which leads victims to install the Malicious Application into victims mobile Devices.

This infection leads to potentially compromise the victims and leaks their sensitive data from their mobile platform.

OSX/Dok  Malware used to Attack Mac users via traditional Spam and Phishing Attacks and also combined with Man-in-the-Middle Attack which helps to gain complete access from victim communication and even its TLS Encrypted.

- Advertisement - Google News

According to Checkpoint Researchers, the attackers are purchasing dozens of Apple certificates to sign on the application bundle and bypass GateKeeper Apple is constantly revoking the compromised certificates as Checkpoint informing them. however, new ones appear on a daily basis.

How Does OSX/Dok Work

The attack vector this Malware as usual through Phishing Mail that contains a Zip File with Malicious Applications.

Once Malware infected the targetted victims,  using shell codes it modifies the Update settings and disables security updates.

“It modifies the local host file in a way that prevents the victim and some Apple services to communicate outside by adding lines to the host’s file

This Malware maintains its obfuscation by signing the application using Apple certificate by legitimate App developer which leads to bypass the Apple Gatekeeper that used to prevent to install unsigned Applications.

“The malware authors keep naming the application bundle similar to the ones used by Apple, such as “App1e.AppStore” or “iTunes.AppStore”, trying to make it look more credible. Checkpoint said.

Also Read   New Most Highly Sophisticated Spyware “MacSpy” for OS X – “RAT as a Service” Available for Sale Through Email

Steals Bank Credentials

This Malware used Tor Network as a communication channel to communicate with command and control over  Darkweb and Proxy .

According to Malware geo-locates the victim it seems that the malware targets mainly European residents.

By helping of Local Proxy that Malware setting up in the Victims Machine, all the Traffic will Be Redirected to above-mentioned Domains (such as ‘credit-suisse’, ‘globalance-bank’, ‘cbhbank’), etc. then it will redirect to Malicious C&C server on TOR.

So once victims trying to Visit this Website then it will redirect to Malicious phishing website which is mostly under the Phishing financial Banking website that looks same as original bank website.

Fake Bank Page of infected Machine (Source: Checkpoint)

Orginal Page of same Bank (Source: Checkpoint)

In this Indication we can see that, C&C server is using Old copy rights page, and phishing page missed original Credit-Suisse SSL certificate and using the fake certificate instead.

Another indication Clearly showing that, there is not proper token based authentication since original bank are using Auth Token  which the server verifies and only then responds.

Also Read  Running OSX relatively safe? New Malware strains targeting all versions of MacOSX clients

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

ConnectWise Hit by Advanced Cyberattack: Internal Data at Risk

ConnectWise, a leading provider of IT management and remote access software, has confirmed a...

Apache Tomcat CGI Servlet Flaw Enables Security Constraint Bypass

A newly disclosed vulnerability, CVE-2025-46701, has been identified in Apache Tomcat’s CGI servlet, allowing...

SentinelOne Recovers: Platform Back Online After Extended Outage

On May 29, 2025, SentinelOne, a leading cybersecurity provider, experienced a significant platform outage...

Threat Actors Exploit Nifty[.]com Infrastructure in Sophisticated Phishing Attack

Threat actors have orchestrated a multi-wave phishing campaign between April and May 2025, leveraging...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

PureHVNC RAT Uses Fake Job Offers and PowerShell to Evade Security Defenses

A new and highly evasive malware campaign delivering the PureHVNC Remote Access Trojan (RAT)...

New Spear-Phishing Campaign Targets Financial Executives with NetBird Malware

Trellix's email security systems detected a highly targeted spear-phishing campaign aimed at CFOs and...

APT Hackers Turn Google Calendar Into Command Hub Using TOUGHPROGRESS Malware, Google Alerts

Google Threat Intelligence Group (GTIG), a sophisticated malware campaign dubbed "TOUGHPROGRESS" has been uncovered,...