Dok
Dok is a Trojan application disguised as a .zip file that is able to collect user credentials and install a malicious proxy server to redirect a user's network traffic (i.e. Adversary-in-the-Middle).[1][2][3]
Associated Software Descriptions
| Name | Description |
|---|---|
| Retefe |
[1]. |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .003 | Abuse Elevation Control Mechanism: Sudo and Sudo Caching |
Dok adds |
| Enterprise | T1557 | Adversary-in-the-Middle |
Dok proxies web traffic to potentially monitor and alter victim HTTP(S) traffic.[1][3] |
|
| Enterprise | T1547 | .015 | Boot or Logon Autostart Execution: Login Items |
Dok uses AppleScript to install a login Item by sending Apple events to the |
| Enterprise | T1059 | .002 | Command and Scripting Interpreter: AppleScript |
Dok uses AppleScript to create a login item for persistence.[1] |
| Enterprise | T1543 | .001 | Create or Modify System Process: Launch Agent |
Dok installs two LaunchAgents to redirect all network traffic with a randomly generated name for each plist file maintaining the format |
| Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
Dok exfiltrates logs of its execution stored in the |
| Enterprise | T1222 | .002 | File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification |
Dok gives all users execute permissions for the application using the command |
| Enterprise | T1056 | .002 | Input Capture: GUI Input Capture | |
| Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing | |
| Enterprise | T1090 | .003 | Proxy: Multi-hop Proxy | |
| Enterprise | T1553 | .004 | Subvert Trust Controls: Install Root Certificate |
Dok installs a root certificate to aid in Adversary-in-the-Middle actions using the command |