What's behind backdoor #3? Mac version of Mokes malware follows Linux, Windows variants

Seven months after publicly dissecting the Linux and Windows versions of Mokes – a malicious, cross-platform backdoor with spying functionality – Kaspersky Lab today released an analysis of a newly discovered version targeting Apple's OS X operating system.

The malware is programmed to swipe data and images from a victim's machine, including screenshots taken every 30 seconds, audio and video captures, documents and keystrokes, Kaspersky Lab reported via its Securelist blog. (However, depending on the sample, certain modules are inactive.) It is also capable of executing arbitrary commands. Kaspersky virus analyst and blog post author Stefan Ortloff told SCMagazine.com in an email interview that the cyber-security research group received the backdoor from one of its partners on Tuesday.

In a January blog post that examined the backdoor's Linux and Windows versions, Ortloff predicted that a Mac-focused variant would eventually surface as well. That's because Mokes (the Linux version is also known as Ekocms) is written in C++ programming language using Qt, a cross-platform application framework that makes the malware compatible with any operating system. Aside from some minor differences, the Windows, Linux and OS X versions are essentially alike. “All variants for the three supported operating systems have the same code base,” said Ortloff.

Mokes' ability to operate on various platforms, thereby infecting a wider breadth of potential victims, sets it apart from prototypical malware programs. “Since most of the potential targets are Windows machines, the malware underground economy concentrates on developing malware for [the Windows] operating system. It takes more effort, and is more expensive and more time-consuming to develop code which can be compiled for all major OS,” Ortloff explained. Still, this latest discovery demonstrates that “Every operating system can be targeted by malware creators, and there is also active development in the non-Windows malware field.”

After executing and achieving persistence on an infected system, the Mokes OS X variant contacts its command-and-control server via a heartbeat request over the HTTP protocol – same as the Windows and Linux versions. Once the C&C server responds, all additional communications, including data exfiltration, take place via over a secure, encrypted connection.

Kaspersky was not told how the analysed Mokes sample originally infected its victim, Ortloff told SC.

Sign up to our newsletters