Malware researchers from Kaspersky Lab confirmed the existence of an OS X variant of a recently discovered family of cross-platform backdoors. The backdoors family was named Mokes and a strain of malware was first spotted in January, but its existence was confirmed only this week.
“Back in January this year we found a new family of cross-platform backdoors for desktop environments. After the discovery of the binaries for Linux and Windows systems, we have now finally come across the OS X version of Mokes.A. It is written in C++ using Qt, a cross-platform application framework, and is statically linked to OpenSSL. This leads to a filesize of approx.” wrote Kaspersky.
The malicious code is able to steal various kinds of data from an infected system, including screenshots, Office-Documents (docx, .doc, .xlsx, and .xls files), Keystrokes, and Audio-/Video-Captures.
The Mokes backdoor also allows hackers to execute arbitrary commands on the victim’s computer, it works on Linux, Windows and also OS X.
The sample of OS X Mokes backdoor recently analyzed by Kaspersky was unpacked, but researchers believe it’s packed as the Linux variant spotted in January.
Once executed, the Mokes backdoor copies itself to a handful of locations, choosing the first available in the following locations:
After the malware establish a first connection with its C&C server using HTTP on TCP port 80, the backdoor communicates via TCP port 443.
The researchers discovered that the User-Agent string is hardcoded in the binary, once the server receive it, it replies with “text/html” content of 208 bytes in length. Then the encrypted connection is established using the AES-256-CBC algorithm.
The strange things that characterized the story is that despite the malware researchers spotted the first samples of backdoor in January, the number of infections samples did not increase.
Stefan Ortloff, the researcher with Kaspersky Lab’s Global Research and Analysis Team which identified the family of Mokes backdoor hasn’t provided details on the infection vector.
The report published by Kaspersky also includes the IoC for the detection of the backdoor.
(Security Affairs – Backdoor.Linux.Mokes, MAC OS X)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.