Holy Mokes! OS X users warned of sophisticated backdoor malware

Cross-platform threat captures audio, monitors removable media, and more.

Holy Mokes! OS X users warned of sophisticated backdoor malware

Allow me to introduce Backdoor.OSX.Mokes.a, the OS X variant of a backdoor trojan which is capable of infecting all major operating systems.

Researchers at Kaspersky Lab first came across the Windows and Linux variants of Mokes.a back in January 2016.

Like its siblings, the OS X version can steal different types of information off of a user's infected machine.

Kaspersky researcher Stefan Ortloff explains the malware, which isn't the first OS X backdoor trojan, doesn't waste any time when first introduced to a new system:

When executed for the first time, the malware copies itself to the first available of the following locations, in this order:

  • $HOME/Library/App Store/storeuserd
  • $HOME/Library/com.apple.spotlight/SpotlightHelper
  • $HOME/Library/Dock/com.apple.dock.cache
  • $HOME/Library/Skype/SkypeHelper
  • $HOME/Library/Dropbox/DropboxCache
  • $HOME/Library/Google/Chrome/nacld
  • $HOME/Library/Firefox/Profiles/profiled

Ortloff osx mokes autorun plist

In whichever location it is able to copy itself, Mokes.a creates a plist-file to achieve persistence on the system before first reaching out to its command-and-control (C&C) server using HTTP on TCP port 80.

If all goes well, the sever replies with “text/html” content of 208 bytes in length, allowing the binary to set up an encrypted communication channel.

The malware can then load up its backdoor functionalities, including the ability to capture audio and screen shots, monitor removable media, and scan the infected machine for available Office documents.

Ortloff osx mokes filefilters

Those aren't the only files for which Mokes.a can scan, however. As Ortloff explains:

"The attacker controlling the C&C server is also able to define own file filters to enhance the monitoring of the file system as well as executing arbitrary commands on the system."

Just in case something happens to the C&C server, the backdoor can also upload all of its captured data to a series of temporary files:

  • $TMPDIR/ss0-DDMMyy-HHmmss-nnn.sst (Screenshots)
  • $TMPDIR/aa0-DDMMyy-HHmmss-nnn.aat (Audiocaptures)
  • $TMPDIR/kk0-DDMMyy-HHmmss-nnn.kkt (Keylogs)
  • $TMPDIR/dd0-DDMMyy-HHmmss-nnn.ddt (Arbitrary Data)

Along with other OS X-based malware, Mokes.a proves that attackers are targeting Macs (albeit much less than Windows-based machines).

With that in mind, OS X users should install an anti-virus solution onto their computers. They can also look for certain files associated with the latest OS X backdoor on their machines by referring to Ortloff's report here.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episodes:

, ,

2 Responses

  1. LizW

    September 10, 2016 at 6:53 pm #

    What is a good anti virus program to use on a MAC? I have always been told I don't need one.

  2. kim

    January 24, 2017 at 4:16 am #

    Yes i am a mac user who has been victimized by this vicious malware.. it has copied itself repeatedly and has altered documents, gotten into PayPal accounts, redirected much of my web browsing to install more malware, and the list goes on and on.

    The crime is way beyond grand larceny; it not only has stolen tens of thousands of dollars but has also negated any sense of privacy that one may ever have considered.

    Just a good thing that i'm very innocent and have nothing to hide… well except for my personal and bank information…

    at first i thought i was delusional.. paranoid… surely PayPal and my Mac are safe… Not so.

    i will never trust my personal computer again…

Leave a Reply