Kaspersky researchers uncover Backdoor.OSX.Mokes

Sep 7, 2016 19:50 GMT  ·  By

Security researchers have identified the Mac version of a backdoor trojan that was previously thought to infect only Linux and Windows systems.

Discovered in January 2016 under the name of Linux.Ekocms, this backdoor trojan was believed to be capable of infecting Linux computers only, allowing attackers to record audio and take screenshots on infected machines.

Ten days after researchers from Dr.Web uncovered the Linux version, the other big Russian antivirus maker, Kaspersky, discovered a Windows alternative that boasted most of the same features, a trojan that they detected under the name of Mokes.

Researchers foresaw a Mac variant last January

During its analysis of the Windows Mokes samples, Kaspersky observed that the trojan was coded in C++ and Qt, a cross-platform application framework that would have allowed Mokes, at least in theory, to target Mac devices as well.

After a period of general calm, Kaspersky has announced today it detected the first samples of the Mokes trojan capable of infecting Mac OS X systems.

Just like its Linux and Windows predecessors, the OS X version of Mokes features the same spying capabilities.

The trojan can infect Mac computers, where it opens an encrypted connection (via AES-256-CBC) with its C&C server.

Mokes used to take screenshots, record audio and video

Once the crook has a direct line to infected Mac devices, they can send commands to the trojan to perform several actions, such as logging keystrokes, scanning for office-related documents, capturing audio and video from the device's microphone and camera, or taking screenshots of the user's desktop.

In recent months, the amount of malware targeting Linux and Mac devices has gone up in record numbers.

For example, just in July, security researchers from Bitdefender discovered another backdoor trojan called Eleanor that used TOR to open connections on infected devices and steal data.

A day after Bitdefender's discovery, security researchers from ESET detected Keydnap, a Mac trojan that could extract passwords from the Keychain utility and send them to the attacker's server.