New Backdoor Creeps Its Way on Mac OS X
An existing backdoor threat makes its way on OS X
In the second week of September, security researchers with Kaspersky Lab pinned down a new version of an existing family of backdoors. The backdoor was first discovered in January 2016, when Kaspersky spotted and detailed the Mokes backdoor family. The threat was cross-platform from the start, targeting Windows and Linux. The new Mac OS X version has now been described in great detail by analyst Stefan Ortloff.
The threat appears to be very high-profile, and this becomes evident even from the short initial description Ortloff gives. Named Backdoor.OSX.Mokes, the Mac version of the malware can steal a large assortment of data from the compromised system, including screen grabs and audio clips, using installed peripherals, as well as keystroke logs. Monitoring the file system and scanning Office file extensions and documents is also built into the malware. The Mac version of Mokes can also monitor for external USB drive connectivity. Execution of 'arbitrary commands' on the compromised PC is also an option for the people running the C&C servers of the threat.
The backdoor uses a strong encryption to transmit data between the host's system and its servers, relying on AES-256 in CBC mode, using the so-called cipher block chaining algorithm.
Mokes Mode of Operation
The sample analyzed by Ortloff and his team was unpacked, even though they believe the file is usually packed, as was the case with its Linux version. Upon execution, the threat checks for a list of available directories and copies itself in the first one found. The list includes OS X system directories, as well as directories associated with cache and user profiles for Chrome, Firefox, and DropBox.
Once it deploys in that new location, the OS X version of Mokes creates a plist file (essentially the Apple equivalent of an XML file) to secure its persistence on the compromised system. The next step is establishing contact with the command-and-control server. The communication between the malware and the C&C server is done using HTTP on TCP port 80 and an encrypted connection through TCP port 80, using the aforementioned AES-256 encryption.
Next, Mokes sets up its backdoor functionality, getting ready to capture screenshots, record audio and monitor the file system and external drives. The threat has built-in functionality to create temporary files and store this information, in case the C&C server cannot be contacted.
There is scarce information available about the infection vector in the article published by Ortloff but in the comments section below it, he explains that all vectors are a possibility, including infection through malware previously existing on the system, exploits, as well as social engineering.
Even though malware targeting Apple's products is relatively uncommon, especially when compared against the tide of PC threats, it has been gaining momentum over the past few years. Some notable examples include WireLurker, XcodeGhost, and YiSpecter.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.