Data Stealing Mac OS X Backdoor Uncovered

ID THREATPOST:078A58572856754DC022CA17CD4D138C
Type threatpost
Reporter Chris Brook
Modified 2016-09-07T16:55:15


Researchers on Wednesday confirmed that an OS X variant of a recently discovered family of cross-platform backdoors exists.

Stefan Ortloff, a researcher with Kaspersky Lab’s Global Research and Analysis Team, identified the family of backdoors called Mokes in January, but it wasn’t until Tuesday that an OS X variant was discovered. Ortloff wrote a technical breakdown of the backdoors, including the Linux and Windows iterations and the new OS X variant, in a series of posts on Securelist.

Similar to the Linux and Windows variants, the OS X backdoor specializes in capturing audio and taking screenshots every 30 seconds from a victim’s machine.

The variant, Backdoor.OSX.Mokes.a, can also monitor removable storage—such as whether a USB thumb drive is connected to the machine, and can also monitor the file system for Office documents such as .docx, .doc, .xlsx, and .xls files.

The backdoor can also execute arbitrary commands on the system, something the attacker can oversee and fine-tune, along with what’s monitored, via filters in the backdoor’s command and control server.

Ortloff notes the OS X sample he analyzed was already unpacked but that he believes it’s usually packed, as the Linux variant he saw in January. After it’s executed, the backdoor copies itself to a handful of locations, including any caches that belong to Skype, Dropbox, Google, and Firefox. The technique is similar to the Linux counterpart, which after execution copied itself to locations belonging to Dropbox and Firefox.

After it establishes a connection with its command and control server – via HTTP on TCP port 80– the backdoor communicates – via TCP port 443 – using AES-256 encryption.

Ortloff expected to see Mac OS X samples back in January, after noticing the Windows and Linux variants; they just never surfaced.

It was only after Ortloff was able to obtain the Linux variant, Backdoor.Linux.Mokes.a that he was able to extract its binary and discover the Windows variant, Backdoor.Win32.Mokes.imv.

Ortloff doesn’t get into the OS X backdoor’s infection vector, or how widespread its footprint may be. Nonetheless, based on his description, the Mokes OS X backdoor is a sophisticated piece of malware.

A request for comment on the backdoor to Apple was not immediately returned on Wednesday.

While not unheard of– attackers have been poking holes in OS X and more so, iOS as of late – OS X backdoors have been few and far between as of late.

In 2012 researchers with Kaspersky Lab’s GReAT team intercepted an APT campaign that used a Mac OS X backdoor to target Uyghur activists. That backdoor was circulated via targeted emails which contained a .zip file, .jpeg file, and OS X application. Once executed, the application connected to its C+C and let the attacker execute arbitrary commands and access the infected machine’s files.

On the whole, Mac malware has emerged as a palpable threat over the last few years. WireLurker, discovered by researchers at Palo Alto Networks, was capable of stealing system information and data stored on mobile devices running iOS. Two other threats unearthed by the company, XcodeGhost, appended malicious code to a number of popular iOS apps, and YiSpecter abused Apple Enterprise Program certificates to push adware.