Cross-platform Mokes backdoor OS X exists and is spreading in the wild

Malware researchers from Kaspersky Lab confirmed the existence of an OS X variant of the Mokes backdoor discovered in January by Kaspersky.

Malware researchers from Kaspersky Lab confirmed the existence of an OS X variant of a recently discovered family of cross-platform backdoors. The backdoors family was named Mokes and a strain of malware was first spotted in January, but its existence was confirmed only this week.

“Back in January this year we found a new family of cross-platform backdoors for desktop environments. After the discovery of the binaries for Linux and Windows systems, we have now finally come across the OS X version of Mokes.A. It is written in C++ using Qt, a cross-platform application framework, and is statically linked to OpenSSL. This leads to a filesize of approx.” wrote Kaspersky.

The malicious code is able to steal various kinds of data from an infected system, including screenshots, Office-Documents (docx, .doc, .xlsx, and .xls files), Keystrokes, and Audio-/Video-Captures.

The Mokes backdoor also allows hackers to execute arbitrary commands on the victim’s computer, it works on Linux, Windows and also OS X.

The sample of OS X Mokes backdoor recently analyzed by Kaspersky was unpacked, but researchers believe it’s packed as the Linux variant spotted in January.

Once executed, the Mokes backdoor copies itself to a handful of locations, choosing the first available in the following locations:

• $HOME/Library/App Store/storeuserd
• $HOME/Library/com.apple.spotlight/SpotlightHelper
• $HOME/Library/Dock/com.apple.dock.cache
• $HOME/Library/Skype/SkypeHelper
• $HOME/Library/Dropbox/DropboxCache
• $HOME/Library/Google/Chrome/nacld
• $HOME/Library/Firefox/Profiles/profiled

After the malware establish a first connection with its C&C server using HTTP on TCP port 80, the backdoor communicates via TCP port 443.

The researchers discovered that the User-Agent string is hardcoded in the binary, once the server receive it, it replies with “text/html” content of 208 bytes in length. Then the encrypted connection is established using the AES-256-CBC algorithm.

The strange things that characterized the story is that despite the malware researchers spotted the first samples of backdoor in January, the number of infections samples did not increase.

Stefan Ortloff, the researcher with Kaspersky Lab’s Global Research and Analysis Team which identified the family of Mokes backdoor hasn’t provided details on the infection vector.

The report published by Kaspersky also includes the IoC for the detection of the backdoor.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Backdoor.Linux.Mokes, MAC OS X)