How to Remove or Clean new MacOS ‘Dok’ Malware

If you are a MacOS user and have bought it just to make sure that your OS will not be affected by any types of Malware then you might be wrong. According to the Check Point Technologies new released detailed information about a new malware attack dubbed as OSX/Dok which affects all versions of OSX, has 0 detections on VirusTotal, is signed with a valid developer certificate (authenticated by Apple), and is the first major scale malware to target OSX users via a coordinated email phishing campaign.

If you are from any European country then you should be more careful as the Check Point Technologies explains that the new malware is targeting European users as of now via attachment-based phishing attacks. Don’t’ worry, you are safe until you downloads an attachment (called Dokument.ZIP) from the email, where it copies itself to the Mac and then displays a false message saying the file couldn’t be opened because it was damaged.

Later it will send another pop-up message showing you there is a new update to your Mac’s software and tell you to click “Update All” right within the message, and then it will ask you to enter your password to continue. That’s how OSX/Dok malware infects your MacOS.

How you can protect yourself against ‘Dok’
The solution for protecting your MacOS from ‘Dok’ malware is pretty easy actually since it’s a phishing attack you can simply avoid any infection just by not opening and downloading any attachments from unknown sources, basically, the attachment file come with the name called Dokument.ZIP so, if this is the name of attachment just don’t’ open it first, go and check the email if it’s an official email or not if it’s an email something like llk124@ww.edir.4.com you should probably delete that email right away.

What if your MacOS is already infected with ‘Dok’ malware?
If you have already received such email and have opened the attachment on your Mac, chances are your MacOS could already be infected with ‘Dok’. If this is the case there are few steps provided by imore listed below which you can use to clear or remove such malware from Mac.

First, navigate to your Proxy configuration settings and delete the rogue server.

1- Click the Apple Menu icon in the upper left corner of the screen.
2- Click System Preferences from the drop down menu.
3- Click Network.
4- Select your current internet connection (Wi-FI or Ethernet).
5- Click Advanced at the bottom right of the window.
6- Select the Proxies tab.
7- Select Automatic Proxy Configuration.
8- Delete the URL listed as http://127.0.0.1.5555…

Dok also installed two LaunchAgents, which you’ll also have to find and delete.

/Users/%User%/Library/LaunchAgents/com.apple.Safari.proxy.plist
/Users/%User%/Library/LaunchAgents/com.apple.Safari.pac.plist
Lastly, you’ll need to delete the fake signed Apple Developer certificate.

1- Launch Finder.
2- Select Applications.
3- Open your Utilities folder.
4- Double-click on Keychain Access.
5- Select the certificate named COMODO RSA Secure Server CA 2.
6- Right or Control + click on the Certificate.
7- Select Delete Certificate fro the drop down options.
8- Select Delete to confirm that you want to delete the certificate.

Final Tips
Don’t open attachments from unknown sources. Don’t click on suspicious-looking pop-up messages. Check email addresses of senders to see if they are real. You can protect yourself from attacks if you stay aware. If you think that the steps above are too complicated then you can also take help from Apple support or let us know in the comments below.