Skip to content

S0281 Dok

Dok is a Trojan application disguised as a .zip file that is able to collect user credentials and install a malicious proxy server to redirect a user’s network traffic (i.e. Adversary-in-the-Middle).123

Item Value
ID S0281
Associated Names Retefe
Version 2.0
Created 17 October 2018
Last Modified 12 October 2021
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Retefe 1.

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.003 Sudo and Sudo Caching Dok adds admin ALL=(ALL) NOPASSWD: ALL to the /etc/sudoers file.2
enterprise T1557 Adversary-in-the-Middle Dok proxies web traffic to potentially monitor and alter victim HTTP(S) traffic.13
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.015 Login Items Dok uses AppleScript to install a login Item by sending Apple events to the System Events process.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.002 AppleScript Dok uses AppleScript to create a login item for persistence.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.001 Launch Agent Dok installs two LaunchAgents to redirect all network traffic with a randomly generated name for each plist file maintaining the format
enterprise T1048 Exfiltration Over Alternative Protocol -
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Dok exfiltrates logs of its execution stored in the /tmp folder over FTP using the curl command.2
enterprise T1222 File and Directory Permissions Modification -
enterprise T1222.002 Linux and Mac File and Directory Permissions Modification Dok gives all users execute permissions for the application using the command chmod +x /Users/Shared/
enterprise T1056 Input Capture -
enterprise T1056.002 GUI Input Capture Dok prompts the user for credentials.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.002 Software Packing Dok is packed with an UPX executable packer.2
enterprise T1090 Proxy -
enterprise T1090.003 Multi-hop Proxy Dok downloads and installs Tor via homebrew.1
enterprise T1553 Subvert Trust Controls -
enterprise T1553.004 Install Root Certificate Dok installs a root certificate to aid in Adversary-in-the-Middle actions using the command add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/filename.12