Sophisticated Mac OS X backdoor uncovered

Researchers say the malware is able to steal data including audio, video and keystrokes.
Written by Charlie Osborne, Contributing Writer

Security researchers have discovered a sophisticated strain of malware which has shifted across platforms in order to target Mac OS X users.

This week, Kaspersky Lab security experts revealed the existence of Backdoor.OSX.Mokes, an OS X-based variation of the Mokes malware family which was discovered back in January.

According to the team, the malicious code is now able to operate on all major operating systems including Windows, Linux and Mac.

Stefan Ortloff, a researcher with Kaspersky Lab's Global Research and Analysis Team, says the sample which was investigated by the team came unpacked, but he suspects that versions in the wild are packed, just like other OS variants of the malware.

The new strain of malware is written in C++ using the cross-platform application framework Qt, and is linked to OpenSSL.

When executed for the first time, the malicious code copies itself to a variety of system library locations, hiding away in folders belonging to apps and services including Skype, Google, Firefox and the App Store. Mokes then tampers with the PC to achieve persistence and connects to the C&C server using HTTP on TCP port 80.

In a blog post, Kaspersky said the backdoor malware is able to steal a wide variety of information from a target computer. The malicious code not only captures screen activity every 30 seconds but is able to detect and monitor removable storage in addition to recording video and audio, ransack Office documents -- those that are .xls, .xlsx, .doc and .docx file types -- and record keystrokes.

The malware is also able to execute arbitrary code on the Mac machine, which gives Mokes powerful capabilities to tamper with a compromised machine.

The operator working through the C&C server is also able to define their own filters on how the malware should spy upon its victim and execute additional commands if they wish.

In addition, Mokes uses tough AES-256-CBC encryption to communicate with the malware's command and control (C&C) server and hide its activities.

It is not yet known how widespread infections are or how much of a risk Mokes is to Mac users.

Mac OS X-based backdoors are not unheard of but are far less common than Microsoft Windows variants. In July, researchers from Malwarebytes exposed Backdoor.MAC.Eleanor, a new breed of malicious code crafted for Apple's operating system. The malware, discovered within free Mac apps, is able to install backdoors, spy on victims and give attackers remote access to compromised machines.

ZDNet has reached out to Apple and will update if we hear back.

Cybersecurity reads which belong on every bookshelf

Editorial standards