Once installed on a system, Dok downloads TOR for the purposes of communication with a command and control server over the dark web, which helps to geolocate the victim and customise the attack according to location - with evidence suggesting the malware mainly targets users in Europe.Ī proxy file is served to the victim depending on their location, with the aim of redirecting traffic to bank domains to a fake site hosted on the attacker's C&C server, which harvests login credentials and allows the attacker to carry out bank transactions.įor example, a proxy setting for a Swiss IP address contains instructions for redirecting the victims' attempts to visit banking websites local to the country, including Credit Suisse, Globalance Bank, and CBH Bank.Ī fake bank login page, with the telltale signs highlighted, including wrong years of copyright, missing the original SSL certificate, and the missing auth token in the URL.
OUTBANK MAC OS X CODE
Dok appears to be highly sophisticated malware, shown by mutations in its code that make it more difficult to detect and remove - especially as Dok modifies the OS' settings in order to disable security updates and prevent some Apple services from communicating.