macOS Trojan OSX / Dok installs Messenger Signal and steals banking data

According to the renowned software company Check Point is the macOS Trojan OSX / Doc back, and this time he installs Messenger Signal while he also steals account details for online banking. The latter basically works without a signal, which is why the messenger app is assigned different roles by the digital security experts. It is possible that it only serves as a placeholder for mobile attacks on the iPhone for fraudsters who want to steal bank data with the macOS Trojan OSX / Dok.

If you use an Apple Mac, iMac or MacBook to do online banking, you shouldn't come across the OSX / Dok trojan that attacks Mac OS X and macOS.

If you use an Apple Mac, iMac or MacBook to do online banking, you shouldn't come across the OSX / Dok trojan that attacks Mac OS X and macOS.

Mac Trojans: OSX / Doc since April 2017 under the microscope

As early as April 2017, Check Point was rolled into one Post pointed out the Mac malware that attacks Apple users' data. Even then, the attackers 'goal was to read out the victims' communications - also and above all those who run over encrypted SSL data lines. The goal of OSX / Dok is clearly data theft by spying on confidential information, email addresses and passwords. In addition, according to Check Point, there is now the same problem as in April: users of Apple Mac, MacBook and iMac in Europe are particularly affected.

Worth reading: Do I need antivirus software on the Mac or MacBook?

New version malware: banking information and Signal Messenger

[...] the sneaky actors behind [the OSX / Doc malware] don't give up yet. They target the victim's banking credentials by mimicking sites from major banks.

This gives Check Point in a current Articles known. In addition to spying on login data for online banking, Mac users are called upon to install an app on their smartphone (iPhone). A QR code is provided for this in order to bypass authentications.

The app is currently the messenger Signalwho can take on the following roles:

  • Bypassing / simulating the two-factor authentication that is otherwise implemented via SMS
  • Placeholder that the cyber criminals exchange with their own app in later versions of the malware
  • Communication path for further malware, blackmail (Ransomware) or similar
  • Measuring the success of the malware, which is apparently high in many installations

Why is the malware not recognized by the Apple Mac?

Apple and the individual products from iMac and Mac to MacBook to iPhone and iPad have long been considered secure and invulnerable. Due to the growing popularity and number of users, cyber criminals are now making much more effort and finding ways to infiltrate your Mac as well. Viruses, malware, ransomware, Trojans and more are no longer just a problem for Microsoft Windows and users of a PC. For example, the attackers buy Apple certificates in order to evade Apple's GateKeeper security program.

Fake bank page using the example of Credit Suisse

In the linked post by Check Point you will find a comprehensive representation of the fake page that is displayed due to the OSX / Dok malware when the victim uses online banking Credit Suisse want to operate. This bank is only one example, since in addition to banks in Switzerland, Germany and Austria, other banking sites in Europe are / may be affected. In any case, on the fake page you get a message about the "modernization of the security system" and you are asked to install the mobile application:

Source: Check Point

This is how you recognize a fake bank page

The pages are mostly the same as pods, even the current security notice on the real Credit Suisse page, which one is on Phishing e-mails indicates can be accepted. However, here are three characteristics by which you can recognize a fake online banking site that is related to the Mac Trojan:

  Real Credit Suisse site Fake site for data theft
SSL Certificate "Credit Suisse Group AG (CH)" "Secure"
Authentication token in URL "Auth? ~ ..." "Auth? Language = ..."
Years in copyright 1997-2017 1997-2013

This is how redirecting to the fake page works

The OSX / Dok Trojan initially locates the victim using its IP address. Depending on the geographic position, the proxy is then selected, which redirects to the C&C server (Command and Control) in the correct language via the Tor network and the Dark Net. Or to put it another way: if a bank page is called up, the user does not come to the page on the bank's servers, but is directed to the fake page on the attacker's servers. If you want to see which bank URLs are affected, then I recommend this overview from Check Point:

Source: Check Point

More information and tips

You can find even more information, notes and background information on the current threat for everyone who uses the Apple Mac for online banking in the linked articles from Check Point. There you will also find further graphics and details on the source code of the OSX / Dok trojan. Finally, I would like to suggest a few more articles from this blog:


Did you like the article and did the instructions on the blog help you? Then I would be happy if you the blog via a Steady Membership or at Patreon would support.


  1. PeterOFre says:

    Maybe you won't get this trojan until you go to Check Point. All very dubious.
    Separate multiple backups and slider for the camera, on the other hand, is a good tip and has been done by me for a long time.
    And I don't even react to emails from banks. I also don't understand how PayPal, for example, still sends the notice of a new account overview by email.

    • sir appleot says:

      Yes, that is the right attitude. Nothing really important comes from a bank via email. And certainly not an indication that the access data must be verified. Unfortunately, with PayPal you have the problem that information is sometimes sent by email. I would like them to have 2-factor authentication. That would make the story much less risky. LG! Jens

Leave a Comment

Your e-mail address will not be published.