Holy Mokes! OS X users warned of sophisticated backdoor malware

Cross-platform threat captures audio, monitors removable media, and more.

David bisson
David Bisson

Holy Mokes! OS X users warned of sophisticated backdoor malware

Allow me to introduce Backdoor.OSX.Mokes.a, the OS X variant of a backdoor trojan which is capable of infecting all major operating systems.

Researchers at Kaspersky Lab first came across the Windows and Linux variants of Mokes.a back in January 2016.

Like its siblings, the OS X version can steal different types of information off of a user’s infected machine.

Sign up to our free newsletter.
Security news, advice, and tips.

Kaspersky researcher Stefan Ortloff explains the malware, which isn’t the first OS X backdoor trojan, doesn’t waste any time when first introduced to a new system:

When executed for the first time, the malware copies itself to the first available of the following locations, in this order:

  • $HOME/Library/App Store/storeuserd
  • $HOME/Library/com.apple.spotlight/SpotlightHelper
  • $HOME/Library/Dock/com.apple.dock.cache
  • $HOME/Library/Skype/SkypeHelper
  • $HOME/Library/Dropbox/DropboxCache
  • $HOME/Library/Google/Chrome/nacld
  • $HOME/Library/Firefox/Profiles/profiled

Ortloff osx mokes autorun plist

In whichever location it is able to copy itself, Mokes.a creates a plist-file to achieve persistence on the system before first reaching out to its command-and-control (C&C) server using HTTP on TCP port 80.

If all goes well, the sever replies with “text/html” content of 208 bytes in length, allowing the binary to set up an encrypted communication channel.

The malware can then load up its backdoor functionalities, including the ability to capture audio and screen shots, monitor removable media, and scan the infected machine for available Office documents.

Ortloff osx mokes filefilters

Those aren’t the only files for which Mokes.a can scan, however. As Ortloff explains:

“The attacker controlling the C&C server is also able to define own file filters to enhance the monitoring of the file system as well as executing arbitrary commands on the system.”

Just in case something happens to the C&C server, the backdoor can also upload all of its captured data to a series of temporary files:

  • $TMPDIR/ss0-DDMMyy-HHmmss-nnn.sst (Screenshots)
  • $TMPDIR/aa0-DDMMyy-HHmmss-nnn.aat (Audiocaptures)
  • $TMPDIR/kk0-DDMMyy-HHmmss-nnn.kkt (Keylogs)
  • $TMPDIR/dd0-DDMMyy-HHmmss-nnn.ddt (Arbitrary Data)

Along with other OS X-based malware, Mokes.a proves that attackers are targeting Macs (albeit much less than Windows-based machines).

With that in mind, OS X users should install an anti-virus solution onto their computers. They can also look for certain files associated with the latest OS X backdoor on their machines by referring to Ortloff’s report here.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

2 comments on “Holy Mokes! OS X users warned of sophisticated backdoor malware”

  1. LizW

    What is a good anti virus program to use on a MAC? I have always been told I don't need one.

  2. kim

    Yes i am a mac user who has been victimized by this vicious malware.. it has copied itself repeatedly and has altered documents, gotten into PayPal accounts, redirected much of my web browsing to install more malware, and the list goes on and on.

    The crime is way beyond grand larceny; it not only has stolen tens of thousands of dollars but has also negated any sense of privacy that one may ever have considered.

    Just a good thing that i'm very innocent and have nothing to hide… well except for my personal and bank information…

    at first i thought i was delusional.. paranoid… surely PayPal and my Mac are safe… Not so.

    i will never trust my personal computer again…

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.