Threat Intelligence, Incident Response, Malware, TDR

What’s behind backdoor #3? Mac version of Mokes malware follows Linux, Windows variants

Seven months after publicly dissecting the Linux and Windows versions of Mokes – a malicious, cross-platform backdoor with spying functionality – Kaspersky Lab today released an analysis of a newly discovered version targeting Apple's OS X operating system.

The malware is programmed to swipe data and images from a victim's machine, including screenshots taken every 30 seconds, audio and video captures, documents and keystrokes, Kaspersky Lab reported via its Securelist blog. (However, depending on the sample, certain modules are inactive.) It is also capable of executing arbitrary commands. Kaspersky virus analyst and blog post author Stefan Ortloff told in an email interview that the cybersecurity research group received the backdoor from one of its partners just yesterday.

In a January blog post that examined the backdoor's Linux and Windows versions, Ortloff predicted that a Mac-focused variant would eventually surface as well. That's because Mokes (the Linux version is also known as Linux.Ekoms.1) is written in C++ programming language using Qt, a cross-platform application framework that makes the malware compatible with any operating system. Aside from some minor differences, the Windows, Linux and OS X versions are essentially alike. “All variants for the three supported operating systems have the same code base,” said Ortloff.

Mokes' ability to operate on various platforms, thereby infecting a wider breadth of potential victims, sets it apart from prototypical malware programs. “Since most of the potential targets are Windows machines, the malware underground economy concentrates on developing malware for [the Windows] operating system. It takes more effort, and is more expensive and more time-consuming to develop code which can be compiled for all major OS,” Ortloff explained. Still, this latest discovery demonstrates that “Every operating system can be targeted by malware creators, and there is also active development in the non-Windows malware field.”

After executing and achieving persistence on an infected system, the Mokes OS X variant contacts its command-and-control server via a heartbeat request over the HTTP protocol – same as the Windows and Linux versions. Once the C&C server responds, all additional communications, including data exfiltration, take place via over a secure, encrypted connection.

Kaspersky was not told how the analyzed Mokes sample originally infected its victim, Ortloff told

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.