Trend Micro specialists found new malicious software targeting users of Apple computers. The malware, called OSX_DOK, is a modified version of the banking Trojan Werdlod, developed for Windows-based systems. Mostly OSX_DOK attacks customers of Swiss banks.

According to researchers, the malicious OSX_DOK campaign is part of the Emmental operation, which first became known in 2012. As part of Emmental, cybercriminals tried to gain full control over the bank accounts of users in Switzerland, Sweden, Austria and Japan using various tools and techniques such as phishing attacks, malware and fraudulent DNS servers.

The OSX_DOK trojan is distributed using phishing emails containing malicious files with extensions. Zip and. Docx. File. Zip is a fake application for macOS, and the second file contains a Trojan Werdlod and is used to attack Windows-based systems. Both programs work as bank Trojans and have similar functionality.

Once on the system, the malicious program removes the standard App Store application and launches a fake MacOS update window that prompts for an administrator password. Having received the credentials, the malicious user initiates the download of other applications and generates fake certificates for the "man in the middle" attack.

Malware automatically closes browsers to install a certificate. Every time a user tries to connect to the site of a Swiss bank whose domain is contained in the list attached to the Trojan code, a phishing page for stealing credentials is displayed on the screen.