How to detect and remove Dok malware on a Mac

Dok is not one of your typical unsophisticated and crude pieces of nasty software. No, this malware is smart and resourceful, even re-uploading itself after it has been deleted. First detected in 2017, Dok is capable of monitoring and altering web traffic to and from an infected Mac.

Dok is designed to steal user data, including passwords, whether or not a site is encrypted, including the details it would need to access bank accounts and other websites that require an encrypted password. It can also redirect traffic, taking a Mac user to another website designed to collect more information or open the door to other viruses and cyber-attacks. It is not something you want to get into your operating system, and yet this still poses a threat to Mac users around the world.

What is Dok and how to know you’re infected?

So far, victims are mainly in Europe, which suggests it originates from within the EU or somewhere nearby. It is a malware virus spread through attachments in phishing emails with a Dokument.zip attachment name, hence the name ‘Dok’ for the virus. The file it is attempting to download uses a pixelated version of the icon image for Apple’s older Preview app.

If someone clicks on an email with that attachment and accidentally the attachment starts to download, error messages will soon appear. It looks like the file is corrupted, and a download hasn’t taken place. In that case, you might think that there is nothing to worry about. Unfortunately, that isn’t the case, and this is one of the ways Dok is so dangerous.

During the attempted and apparently unsuccessful download attempt, Dok copies itself into the /Users/Shared folder. At the same time, it replaces your App Store Login item with itself. During this download process, some victims and cybersecurity experts have noted that a Mac realizes that the zip folder is an application, and so it warns users. However, it is able to override this, and when attempting to close the application that isn’t working, it gets stuck. A Mac can freeze during this process, and even trying to close it using Force Quit won’t work because the app doesn’t appear in the menu bar.

At this point, many who’ve been infected will shut a Mac down and start again. It will appear that everything is back to normal, which is what Dok wants. One way Dok is able to take control is that most of the time, during the download sequence, it will ask for your admin/login password. With that, it has full control of your Mac. It should also be noted that if you’ve been infected, you are far from alone. This is one of the most widespread malware attacks against macOS that other software professionals and we have seen in years.

One way that Dok could get onto so many Macs so easily is that it came with a fake Apple Developer ID, therefore making it look as though macOS security systems should trust it. Even after Apple discovered and revoked this, the creators set up a new Developer ID. 

Beware that Dok might prompt you to install fake OSX updates. This is a trap, so don’t agree to it.

Once infected, Dok accesses the Unix shell of the Mac, creating a user that has “test” access without needing a password after gaining control of your login details, thereby getting access to root-level permissions that allow it complete control. Clearly, those behind this virus have the resources and skills to implement a wide-scale attack.

When Dok has control, it downloads other malicious pieces of software that let it subvert all web traffic to and from a Mac. Stealing data and passwords without a Mac user being aware that they’ve fallen victim to this malware.

How to remove Dok manually

Removing Dok manually is possible, although it is only something experienced Mac power users should try. One way is to remove the Proxy server. Before doing anything, Force Quit every application, including — and especially — every web browser you are currently using.

To remove the Proxy Server:

1. Open System Preferences.
2. Click on Network.
3. Select the current method you are using to connect to the Internet, then click Advanced.
4. Click Proxies.

On the left, you can select the Automatic Proxy Configuration protocol. If you are infected, the URL should start with http://127.0.0.1:5555. Delete this. It should cut the connection to the Dok command-and-control server.

Another way is to remove Launch Agents, providing you enable hidden files and folders first. Within your Library (a hidden file), there should be two files that need to be deleted: apple.Safari.proxy.plist. and com.apple.Safari.pac.plist. With these gone, your Mac should be completely free from Dok.

Even after doing that, it is worth checking every other file and folder for anything else suspicious and rebooting your Mac to make sure it is running smoothly.

How to remove Dok malware in a few clicks 

Now, if that sounds like you could break your Mac trying something you’ve not done before, there is a way of removing Dok without diving into technical details.

Download CleanMyMac X — a powerful Mac cleaner and malware removal tool. It will run a scan, see what has got into your Mac, and then delete it for good quickly and safely without you needing to know how a Mac runs under the hood.

1. Download CleanMyMac X (a free edition of the app).
2. Launch the app.
3. Choose Malware Removal.
4. Click Scan.
5. Click Remove.

As easy as that. CleanMyMac X detects thousands of threats, including adware, spyware, viruses, and worms, so you can neutralize them for good.

Dok is certainly one of the most prolific and dangerous versions of malware we have seen in some time. It is dangerous and capable of redirecting even secure web traffic to and from your Mac. It will steal passwords and gain access to your social accounts, emails, and potentially even bank accounts. Take care whenever you get an unexpected email with an attachment. Thankfully, there are ways to remove Dok safely and quickly, as we hope this article has demonstrated.