Mokes

Mokes Backdoor Malware

Sad Finder

A Kaspersky researcher discovered a variant of the backdoor Mokes on OS X. It allows to spy or to execute remote code.

Stefan Ortloff, researcher at Kaspersky Lab has published several technical papers on Seculist and especially on this OS X version of the backdoor. Mokes for OS X has the same characteristics as the variants for Windows and Linux. It is responsible, for example, record sounds and make screenshots every 30 seconds in the PC of the victim. The backdoor is capable of detecting the presence of a removable storage medium such as a USB key, but also to monitor the presence of specific files, such as .docx, .doc, .xls and .xlsx. Attackers can use the backdoor to execute arbitrary commands on the system, monitor and refine them through filters issued by the command and control server. By examining the sample of the backdoor, Stefan Ortloff discovered that once executed, it is copied in various places :

Specification of Mokes :

Specifications

Name :

HEUR:Backdoor.OSX.Mokes.a

Hash :

664e0a048f61a76145b55d1f1a5714606953d69edccec5228017eb546049dc8c

Inside the system :

$HOME/Library/App Store/storeuserd
$HOME/Library/com.apple.spotlight/SpotlightHelper
$HOME/Library/Dock/com.apple.dock.cache
$HOME/Library/Skype/SkypeHelper
$HOME/Library/Dropbox/DropboxCache
$HOME/Library/Google/Chrome/nacld
$HOME/Library/Firefox/Profiles/profiled

Hosts:

IP : 158.69.241.141
DOMAIN : jikenick12and67.com
IP : 95.211.172.143
cameforcameand33212.com

Dev :

OS X version of Mokes.A. is written in C++ using Qt, a cross-platform application framework, and is statically linked to OpenSSL.

More information :

Once installed, it establishes a connection with the command-and-control C & C server via HTTP on TCP port 80, it communicates through TCP port 443 using AES-256. This version appeared recently with the Linux variant. Last July, the team Bitdefender alerted the community about the existence of a malware called : “Backdoor.MAC.Eleanor“.