Dok
Dok is a Trojan application disguised as a .zip file that is able to collect user credentials and install a malicious proxy server to redirect a user's network traffic (i.e. Adversary-in-the-Middle).[1][2][3]
Associated Software Descriptions
| Name | Description |
|---|---|
| Retefe |
[1]. |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1557 | 中间人攻击 |
Dok proxies web traffic to potentially monitor and alter victim HTTP(S) traffic.[1][3] |
|
| Enterprise | T1090 | .003 | 代理: Multi-hop Proxy | |
| Enterprise | T1543 | .001 | 创建或修改系统进程: Launch Agent |
Dok installs two LaunchAgents to redirect all network traffic with a randomly generated name for each plist file maintaining the format |
| Enterprise | T1547 | .015 | 启动或登录自动启动执行: Login Items |
Dok uses AppleScript to install a login Item by sending Apple events to the |
| Enterprise | T1059 | .002 | 命令与脚本解释器: AppleScript |
Dok uses AppleScript to create a login item for persistence.[1] |
| Enterprise | T1222 | .002 | 文件和目录权限修改: Linux and Mac File and Directory Permissions Modification |
Dok gives all users execute permissions for the application using the command |
| Enterprise | T1048 | .003 | 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol |
Dok exfiltrates logs of its execution stored in the |
| Enterprise | T1027 | .002 | 混淆文件或信息: Software Packing | |
| Enterprise | T1548 | .003 | 滥用权限提升控制机制: Sudo and Sudo Caching |
Dok adds |
| Enterprise | T1056 | .002 | 输入捕获: GUI Input Capture | |
| Enterprise | T1553 | .004 | 颠覆信任控制: Install Root Certificate |
Dok installs a root certificate to aid in Adversary-in-the-Middle actions using the command |