Retefe v OSX.DOK Part 2

I last month had some time to look at the latest iteration of OSX.DOK/Retefe for macOS and thanks to Jaromir from Avast and the excellent VB presentation I can conclude they are almost identical, the reasons for this include the following:

From the presentation at VB Avast noted

The below is collection of the some of the recent samples collected from Swiss campaigns targeting OSX victims.

The payloads are being signed with developer certificates presumably either stolen which enable them to bypass the macOS security feature known as Gatekeeper, it's not clear how these accounts are being used or if they are using pseudonyms to prevent suspicion below are some samples. You can use the codesign command with relevant parameters to identify the signed status of the app bundle 

Masquerading as


All macOS apps need a manifest file known as a info.plist file which includes the MachineOSBuild as a tag, which in this case was 13F1911 which is commonly known as OSX Mavericks, which means it was likely a Virtual Machine or the developer has an older OS 

The samples are UPX packed 

Screen Shot 2017-05-17 at 22.57.44.png

I've just uploaded one single sample for researchers to analyse, however, Apple is actively investigating the misuse of these certificates.

  • 11/05 notify Apple Security
  • 13/05 confirmed incident with Apple Security
  • 17/05 shared developer identities with Apple