Mokes Backdoor Malware

Sad Finder

A Kaspersky researcher discovered a variant of the backdoor Mokes on OS X. It allows to spy or to execute remote code.

Stefan Ortloff, researcher at Kaspersky Lab has published several technical papers on Seculist and especially on this OS X version of the backdoor. Mokes for OS X has the same characteristics as the variants for Windows and Linux. It is responsible, for example, record sounds and make screenshots every 30 seconds in the PC of the victim. The backdoor is capable of detecting the presence of a removable storage medium such as a USB key, but also to monitor the presence of specific files, such as .docx, .doc, .xls and .xlsx. Attackers can use the backdoor to execute arbitrary commands on the system, monitor and refine them through filters issued by the command and control server. By examining the sample of the backdoor, Stefan Ortloff discovered that once executed, it is copied in various places :

 

Specification of Mokes :

Specifications

Name :

HEUR:Backdoor.OSX.Mokes.a

Hash :

664e0a048f61a76145b55d1f1a5714606953d69edccec5228017eb546049dc8c

Inside the system :

$HOME/Library/App Store/storeuserd
$HOME/Library/com.apple.spotlight/SpotlightHelper
$HOME/Library/Dock/com.apple.dock.cache
$HOME/Library/Skype/SkypeHelper
$HOME/Library/Dropbox/DropboxCache
$HOME/Library/Google/Chrome/nacld
$HOME/Library/Firefox/Profiles/profiled

Hosts:

IP : 158.69.241.141
DOMAIN : jikenick12and67.com
IP : 95.211.172.143
cameforcameand33212.com

Dev :

OS X version of Mokes.A. is written in C++ using Qt, a cross-platform application framework, and is statically linked to OpenSSL.

 

More information :

 

Once installed, it establishes a connection with the command-and-control C & C server via HTTP on TCP port 80, it communicates through TCP port 443 using AES-256. This version appeared recently with the Linux variant. Last July, the team Bitdefender alerted the community about the existence of a malware called : “Backdoor.MAC.Eleanor“.

 

Categories: BlogSecurityVirus

Rbcafe

Rbcafe provides software, shareware and freeware for Mac OS X since 2004. Since 2010, Rbcafe distributes software on the Mac App Store.

Related Posts

Blog

Unity Technologies raises $400M

Unity Technologies raises $400M. A fresh funding from the private equity firm Silver Lake.     Unity Technologies, a provider of development tools for video game creators, has raised $400 million in fresh funding from Read more…

Blog

My free software on GitHub

Github hosts two of my projects. Let’s discover my free software on GitHub.   Outguess and Review Sherlock.   Outguess is an advanced steganography tool for mac. Outguess : https://github.com/rbcafe/outguess Review Sherlock : App Store Read more…

App Store

Apple changes apps and in-app prices

Apple changes apps and in-app prices. Price change for some countries. Within the next 7 to 10 days Apple will change the pricing to local currency for apps and in-app purchases in the following countries. Read more…