Macs Targeted with Backdoor

Friday, September 9, 2016 @ 02:09 PM gHale


It was only a matter of time as new malware targeting Macintosh machines is out there, researchers said.

Called Mokes, the backdoor is capable of making screenshots, recording keystrokes, capturing audio, and going through Office documents and removable storage devices, said researchers at Kaspersky Lab. Mokes, also known as Ekoms, can also execute arbitrary commands on the system.

RELATED STORIES
CryptWare Backdoor Fixed
Trojan Allows Remote Access
Trojan Searches for Specific File Types
Trojan Goes Cryptocurrency Mining

This version comes on the heels of a Linux and a Windows version, and it’s written in C++ using Qt, a cross-platform application framework.

When executed for the first time, the Kaspersky researchers said the malware copies itself to the first available of the following locations, in this order:
• $HOME/Library/App Store/storeuserd
• $HOME/Library/com.apple.spotlight/SpotlightHelper
• $HOME/Library/Dock/com.apple.dock.cache
• $HOME/Library/Skype/SkypeHelper
• $HOME/Library/Dropbox/DropboxCache
• $HOME/Library/Google/Chrome/nacld
• $HOME/Library/Firefox/Profiles/profiled

Of the three versions, the Mac malware is the most capable of the three, the researchers said.

One of the things it can do is copy itself in various folders associated with widely-used software such as Skype, Chrome, and Firefox, and uses a plist-file to achieve persistence on the system.

The backdoor’s communication with its C&C server is encrypted by using the AES-256-CBC algorithm. But in case the C&C server is not available, it will temporarily store the collected data on the compromised system.

“The attacker controlling the C&C server is also able to define own file filters to enhance the monitoring of the file system as well as executing arbitrary commands on the system,” Kaspersky Lab researcher Stefan Ortloff said in a blog post.

Researchers remain unclear on how the malware distributes.