Dok steals banking information through man-in-the-middle [1].

ID: S0281
Associated Software: Retefe
Platforms: macOS
Version: 1.1
Created: 17 October 2018
Last Modified: 19 March 2020

Associated Software Descriptions

Name Description


Techniques Used

Domain ID Name Use
Enterprise T1547 .011 Boot or Logon Autostart Execution: Plist Modification

Dok persists via a plist login item.[1]

Enterprise T1059 .002 Command and Scripting Interpreter: AppleScript

Dok uses AppleScript to create a login item for persistence.[1]

Enterprise T1543 .001 Create or Modify System Process: Launch Agent

Dok persists via a Launch Agent.[1]

Enterprise T1056 .002 Input Capture: GUI Input Capture

Dok prompts the user for credentials.[1]

Enterprise T1090 .003 Proxy: Multi-hop Proxy

Dok downloads and installs Tor via homebrew.[1]

Enterprise T1553 .004 Subvert Trust Controls: Install Root Certificate

Dok installs a root certificate to aid in man-in-the-middle actions.[1]