Mokes Mac OS X Backdoor Discovered

The Mokes Mac OS X Backdoor is the latest threat to Apple’s desktop operating system as it as compiled as a cross-platform malware.

Mokes Targets Both Mac OS X, Windows and Linux Systems

In January this year security researchers uncovered a new malware family Mokes of cross-platform backdoors that target desktop operating systems. The binary files for the Microsoft Windows and Linux distributions were named Mokes and now a Mac OS X variant has been detected. The malware is written in the C++ programming language and utilizes the QT framework which is a popular choice for many consumer applications and Is statically linked to the OpenSSL implementation.

The Mokes Mac OS X variant comes packed in a file like the Linux executable. When it is executed the malware spreads across the system and attempts to copy itself to one of the following system locations:

  • $HOME/Library/App Store/storeuserd
  • $HOME/Library/com.apple.spotlight/SpotlightHelper
  • $HOME/Library/Dock/com.apple.dock.cache
  • $HOME/Library/Skype/SkypeHelper
  • $HOME/Library/Dropbox/DropboxCache
  • $HOME/Library/Google/Chrome/nacld
  • $HOME/Library/Firefox/Profiles/profiled

In accordance with the file location, Mokes crafts a plist file to attempt persistence on the infected system. Then it establishes a connection with the remote malicious C&C servers using the HTTP protocol on port 80. Mokes uses a custom user agent string that contains a specific value. Upon connection with the remote server, the facility replies with a set heartbeat signal. Then the connection is transformed into an encrypted one carried on TCP port 443 using the AES-256 cryptography algorithm.

The backdoor functions are supplemented with an audio capture feature and the ability to capture the displayed screen at the frequency of 30 seconds and also the monitoring of removable storage devices.

As such Mokes has the ability to hijack sensitive information from the infected hosts. The malware can execute arbitrary code through the backdoor which is also a severe concern.

The operators of the C&C servers can scan the infected system for Office documents (Documents and Spreadsheets in popular formats) and even define their filters for file scanning.

So far no major attacks are reported however experts rate Mokes as a very dangerous tool in the criminal arsenal and campaigns may be upcoming.

Was this content helpful?

Avatar

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *