Allow me to introduce Backdoor.OSX.Mokes.a, the OS X variant of a backdoor trojan which is capable of infecting all major operating systems.
Researchers at Kaspersky Lab first came across the Windows and Linux variants of Mokes.a back in January 2016.
Like its siblings, the OS X version can steal different types of information off of a user’s infected machine.
Kaspersky researcher Stefan Ortloff explains the malware, which isn’t the first OS X backdoor trojan, doesn’t waste any time when first introduced to a new system:
When executed for the first time, the malware copies itself to the first available of the following locations, in this order:
In whichever location it is able to copy itself, Mokes.a creates a plist-file to achieve persistence on the system before first reaching out to its command-and-control (C&C) server using HTTP on TCP port 80.
If all goes well, the sever replies with “text/html” content of 208 bytes in length, allowing the binary to set up an encrypted communication channel.
The malware can then load up its backdoor functionalities, including the ability to capture audio and screen shots, monitor removable media, and scan the infected machine for available Office documents.
Those aren’t the only files for which Mokes.a can scan, however. As Ortloff explains:
“The attacker controlling the C&C server is also able to define own file filters to enhance the monitoring of the file system as well as executing arbitrary commands on the system.”
Just in case something happens to the C&C server, the backdoor can also upload all of its captured data to a series of temporary files:
Along with other OS X-based malware, Mokes.a proves that attackers are targeting Macs (albeit much less than Windows-based machines).
With that in mind, OS X users should install an anti-virus solution onto their computers. They can also look for certain files associated with the latest OS X backdoor on their machines by referring to Ortloff’s report here.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.