Dok (Malware Family)

Dok

aka: Retefe

VTCollection

Dok a.k.a. Retefe is the macOS version of the banking trojan Retefe. It consists of a codesigned Mach-O dropper usually malspammed in an app bundle within a DMG disk image, posing as a document. The primary purpose of the dropper is to install a Tor client as well as a malicious CA certificate and proxy pac URL, in order to redirect traffic to targeted sites through their Tor node, effectively carrying out a MITM attack against selected web traffic. It also installs a custom hosts file to prevent access to Apple and VirusTotal. The macOS version shares its MO, many TTPs and infrastructure with the Windows counterpart.

References

2019-05-02 ⋅ Proofpoint ⋅ Bryan Campbell, Proofpoint Threat Insight Team
2019: The Return of Retefe
Dok Retefe SmokeLoader

2017-08-03 ⋅ GovCERT.ch ⋅ GovCERT.ch
The Retefe Saga
Retefe Dok Retefe

2017-05-04 ⋅ Check Point Software Technologies Ltd ⋅ Ofer Caspi
OSX Malware is Catching Up, and it wants to Read Your HTTPS Traffic
Dok

Yara Rules

[TLP:WHITE] osx_retefe_auto (20201014 | autogenerated rule brought to you by yara-signator)

rule osx_retefe_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/osx.retefe"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b35???????? b901000000 4c 89fa 5b 41 }
            // n = 6, score = 800
            //   8b35????????         |                     
            //   b901000000           | mov                 ecx, 1
            //   4c                   | dec                 esp
            //   89fa                 | mov                 edx, edi
            //   5b                   | pop                 ebx
            //   41                   | inc                 ecx

        $sequence_1 = { ffc3 48 ffc0 49 ffce }
            // n = 5, score = 800
            //   ffc3                 | inc                 ebx
            //   48                   | dec                 eax
            //   ffc0                 | inc                 eax
            //   49                   | dec                 ecx
            //   ffce                 | dec                 esi

        $sequence_2 = { 89f6 48 89fb 48 8b3d???????? 48 8b35???????? }
            // n = 7, score = 800
            //   89f6                 | mov                 esi, esi
            //   48                   | dec                 eax
            //   89fb                 | mov                 ebx, edi
            //   48                   | dec                 eax
            //   8b3d????????         |                     
            //   48                   | dec                 eax
            //   8b35????????         |                     

        $sequence_3 = { b901000000 4c 89fa 5b }
            // n = 4, score = 800
            //   b901000000           | mov                 ecx, 1
            //   4c                   | dec                 esp
            //   89fa                 | mov                 edx, edi
            //   5b                   | pop                 ebx

        $sequence_4 = { 8b35???????? b901000000 4c 89fa 5b }
            // n = 5, score = 800
            //   8b35????????         |                     
            //   b901000000           | mov                 ecx, 1
            //   4c                   | dec                 esp
            //   89fa                 | mov                 edx, edi
            //   5b                   | pop                 ebx

        $sequence_5 = { 48 8b3d???????? 48 8b35???????? b901000000 4c 89fa }
            // n = 7, score = 800
            //   48                   | dec                 eax
            //   8b3d????????         |                     
            //   48                   | dec                 eax
            //   8b35????????         |                     
            //   b901000000           | mov                 ecx, 1
            //   4c                   | dec                 esp
            //   89fa                 | mov                 edx, edi

        $sequence_6 = { 41 ffd7 49 89c7 4c 89e7 }
            // n = 6, score = 800
            //   41                   | inc                 ecx
            //   ffd7                 | call                edi
            //   49                   | dec                 ecx
            //   89c7                 | mov                 edi, eax
            //   4c                   | dec                 esp
            //   89e7                 | mov                 edi, esp

        $sequence_7 = { 89fa 5b 41 5c 41 5e 41 }
            // n = 7, score = 800
            //   89fa                 | mov                 edx, edi
            //   5b                   | pop                 ebx
            //   41                   | inc                 ecx
            //   5c                   | pop                 esp
            //   41                   | inc                 ecx
            //   5e                   | pop                 esi
            //   41                   | inc                 ecx

        $sequence_8 = { 89e7 41 ffd7 49 89c7 4c 89e7 }
            // n = 7, score = 800
            //   89e7                 | mov                 edi, esp
            //   41                   | inc                 ecx
            //   ffd7                 | call                edi
            //   49                   | dec                 ecx
            //   89c7                 | mov                 edi, eax
            //   4c                   | dec                 esp
            //   89e7                 | mov                 edi, esp

        $sequence_9 = { 41 ffd7 49 89c7 4c 89e7 ff15???????? }
            // n = 7, score = 800
            //   41                   | inc                 ecx
            //   ffd7                 | call                edi
            //   49                   | dec                 ecx
            //   89c7                 | mov                 edi, eax
            //   4c                   | dec                 esp
            //   89e7                 | mov                 edi, esp
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 193312
}

[TLP:WHITE] osx_retefe_w0 (20170602 | OSX/Dok)

rule osx_retefe_w0 {
    meta:
        author = "AlienVault Labs"
        type = "malware"
        description = "OSX/Dok"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/osx.retefe"
        malpedia_version = "20170602"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $c1 = "/usr/local/bin/brew"
        $c2 = "/usr/local/bin/tor"
        $c3 = "/usr/local/bin/socat"
        $c4 = "killall Safari"
        $c5 = "killall \"Google Chrome\""
        $c6 = "killall firefox"
        $c7 = "security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain %@"

    condition:
        all of them
}

Download all Yara Rules

Dok Propose Change

References

Yara Rules

Dok