Researchers on Wednesdayconfirmed thatan OS X variant of a recently discovered family of cross-platform backdoors exists.
Stefan Ortloff, a researcher with Kaspersky Lab’s Global Research and Analysis Team, identified the family of backdoors called Mokes in January, but it wasn’t until Tuesday that an OS X variant was discovered. Ortloff wrotea technical breakdown of the backdoors, including the linux and windows iterations and the new OS X variant , in a series ofposts on Securelist.
Similar to theLinux and Windows variants, the OS X backdoor specializes in capturing audio and taking screenshots every 30 seconds from a victim’s machine.
The variant, Backdoor.OSX.Mokes.a, can also monitor removable storage―such as whether a USB thumb drive is connected to the machine, and can also monitor the file system for Office documents such as.docx, .doc, .xlsx, and .xls files.
The backdoor can also execute arbitrary commands on the system, something the attacker can oversee and fine-tune, along with what’s monitored, via filters in the backdoor’s command and control server.
Ortloff notes the OS X sample he analyzed was already unpacked but that he believes it’s usually packed, as the Linux variant he saw in January. After it’sexecuted, the backdoorcopies itself to a handful of locations, including any caches that belong to Skype, Dropbox, Google, and Firefox. The technique is similar to the Linux counterpart, which after execution copied itself to locations belonging to Dropbox and Firefox.
After it establishes a connection with its command and control server via HTTP on TCP port 80 the backdoor communicates via TCP port 443 usingAES-256 encryption.
Ortloff expected to see Mac OS X samples back in January, after noticingthe Windows and Linux variants; they just never surfaced.
It was only after Ortloff was able to obtain the Linux variant, Backdoor.Linux.Mokes.a that he was able to extract its binary and discover the Windows variant, Backdoor.Win32.Mokes.imv.
Ortloff doesn’t get into the OS X backdoor’s infection vector, or how widespread its footprint may be. Nonetheless, based on his description, the Mokes OS X backdoor is a sophisticated piece of malware.
A request for comment on the backdoor to Apple was not immediately returned on Wednesday.
While not unheard of attackers have been poking holes in OS X and more so, iOS as of late OS X backdoors have been few and far between as of late.
In 2012 researchers with Kaspersky Lab’s GReAT team intercepted an APT campaign that used a Mac OS X backdoor to target Uyghur activists.That backdoor was circulated via targeted emails which contained a .zip file, .jpeg file, and OS X application. Once executed, the application connected to its C+C andletthe attacker execute arbitrary commands and access the infected machine’s files.
On the whole, Mac malware has emerged as a palpable threat over the last few years.WireLurker, discovered by researchers at Palo Alto Networks, was capable of stealing system information and data stored on mobile devices running iOS. Two other threats unearthed by the company,XcodeGhost, appended malicious code to a number of popular iOS apps, andYiSpecter abused Apple Enterprise Program certificates to push adware.