OSX/Mokes
OSX/Mokes is a macOS variant of the Mokes family of backdoor Trojans. As with other members, it can offer attackers a backdoor into your computer for controlling or observing it, as well as various data-collecting features, including both automatic and customizable ones. Users of macOS machines can protect themselves with compatible anti-malware programs for deleting OSX/Mokes as soon as it's detected.
A Software Family Gets a Port that No One Wanted
The capable family of backdoor Trojans, Mokes, is expanding its already-formidable features towards increasing the scope of possible victims. After starting with Windows and Linux, a new variant of it, OSX/Mokes, is moving over to macOS systems. Besides the necessary compatibility changes, such as using the Qt cross-platform framework and LaunchAgent-based persistence, OSX/Mokes is a standard member of its family with all of the anticipated attacks.
OSX/Mokes's twofold goals are setting up a persistent backdoor, through which remote administrators can access the computer and exfiltrate information to a Command & Control server. Before it does so, it establishes itself through any of several 'appropriate' and concealed locations, including folders for unrelated programs like Skype, Chrome or Firefox. Some of its features are automated partially or entirely, such as its capability for taking screenshots every half minute.
As for its other features, malware researchers are noting its capacity for recording both audio and video. The backdoor Trojan also can conduct keylogging (or recording keyboard input), collecting text documents such as Office DOCX files, and monitoring any removable storage devices like USBs. It also may load other commands from its attacker's server or execute remote code – leading to possible installations of supporting threats.
Taking Down Traditional Trojans with Equally-Traditional Defenses
Professionally-coded Trojans for macOS require some form of workaround for the system's built-in security measures. OSX/Mokes includes an additional feature for counteracting Gatekeeper, just like OSX/Linker, as well as networking obfuscation through AES-256 encryption (which readers shouldn't confuse with encryption that's targeting the user, as per a file-locking Trojan). While it uses a list of set locations for installing itself, the flexibility and legitimacy of directories increase its stealth versus an inquisitive user's eyes.
Malware researchers still are collecting information on this Mokes variant's infection mechanisms. What's definite is that OSX/Mokes's campaign is targeting cryptocurrency users currently, such as owners of Bitcoin or Monero wallets. Such preferences suggest that OSX/Mokes is planning on collecting cryptocurrency or the associated credentials, or even, possibly, hijacking transactions.
Always keep your anti-malware services' databases up-to-date for helping them identify new threats with the best accuracy. Users doing so and running active anti-malware products should remove OSX/Mokes automatically, regardless of the location of its components.
Mokes is a problem for all operating systems of significance virtually, but OSX/Mokes emphasizes how minorities are never as safe as they'd like. Depending on scarcity for immunity to Trojan observing is a lousy proposition, even if it might be a little better than being the average Windows user.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.