S0281 Dok
Dok is a Trojan application disguised as a .zip file that is able to collect user credentials and install a malicious proxy server to redirect a user’s network traffic (i.e. Adversary-in-the-Middle).123
| Item | Value |
|---|---|
| ID | S0281 |
| Associated Names | Retefe |
| Type | MALWARE |
| Version | 2.0 |
| Created | 17 October 2018 |
| Last Modified | 12 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Retefe | 1. |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.003 | Sudo and Sudo Caching | Dok adds admin ALL=(ALL) NOPASSWD: ALL to the /etc/sudoers file.2 |
| enterprise | T1557 | Adversary-in-the-Middle | Dok proxies web traffic to potentially monitor and alter victim HTTP(S) traffic.13 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.015 | Login Items | Dok uses AppleScript to install a login Item by sending Apple events to the System Events process.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.002 | AppleScript | Dok uses AppleScript to create a login item for persistence.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.001 | Launch Agent | Dok installs two LaunchAgents to redirect all network traffic with a randomly generated name for each plist file maintaining the format com.random.name.plist.13 |
| enterprise | T1048 | Exfiltration Over Alternative Protocol | - |
| enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | Dok exfiltrates logs of its execution stored in the /tmp folder over FTP using the curl command.2 |
| enterprise | T1222 | File and Directory Permissions Modification | - |
| enterprise | T1222.002 | Linux and Mac File and Directory Permissions Modification | Dok gives all users execute permissions for the application using the command chmod +x /Users/Shared/AppStore.app.3 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.002 | GUI Input Capture | Dok prompts the user for credentials.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.002 | Software Packing | Dok is packed with an UPX executable packer.2 |
| enterprise | T1090 | Proxy | - |
| enterprise | T1090.003 | Multi-hop Proxy | Dok downloads and installs Tor via homebrew.1 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.004 | Install Root Certificate | Dok installs a root certificate to aid in Adversary-in-the-Middle actions using the command add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/filename.12 |