Mokes: This Single Malware Creates “Backdoor” In Windows, Linux, Mac OS X

ByAditya Tiwari
cross-malware-hack-windows-linux-osx

cross-malware-hack-windows-linux-osxShort Bytes: A cross-platform malware family has been reported by a security researcher from Kaspersky Lab. The malware can create a backdoor on Windows, Linux, and Mac OS X machines to collect data which can be transmitted to Command and Control Server over an encrypted connection.

Times have gone when the term malware was familiar only to the ears of Windows users. A probable reason was the popularity advantage Windows operating systems had over others. With time, the evil-minded cyber attackers have become more sophisticated and somewhat, lazier. That’s the reason they are coming up one stop solutions in the form of cross-platform malware. A single malicious program designed to take advantage of various operating systems and create backdoors.

A similar kind of backdoor called Mokes was reported for Linux and Windows operating systems by security researcher Stefan Ortloff of Kaspersky Lab in January this year.

For Linux, the backdoor malware called DropboxCache aka Backdoor.Linux.Mokes.a comes wrapped in a UPX ( Ultimate Packer for eXecutables) file. After initial execution on a Linux machine, it replicates itself to the following locations if it feels the need to do so,

  • $HOME/$QT-GenericDataLocation/.mozilla/firefox/profiled
  • $HOME/$QT-GenericDataLocation/.dropbox/DropboxCache

For Windows, this 32-bit Mokes.a variant has a name OLMyJuxM.exe aka Backdoor.Win32.Mokes.imv. As the name suggests it is an executable file. It copies itself to nine different locations in %AppData% folder on the affected Windows machine along with creating an entry in Windows Registry.

What Mokes.a can do?

Ortloff describes that the Mokes malware is a great spy. It establishes an encrypted connection to a C&C (Command and Control) Server using AES 256-CBC encryption. It can capture user keystrokes, scan for files like office documents on the machine, monitor USB storage, take screenshots every 30 secs, and record audio and video clips. It can send all the data to its C&C server which is controlled by the attacker.

The malware can also create a temporary file of the collected data if the C&C server is not available for transfer. For instance, when the host device is disconnected from the internet.

The Missing Piece

Several months later, Ortloff has managed to find the brother of the cross-platform backdoor family Mokes.a on the Mac OS X operating system. Backdoor.OSX.Mokes.a is written in C++ using the cross-platform framework Qt. It has similar capabilities as described for other variants.

The cross-platform malware variant on Mac OS X replicates itself in the following locations:

  •  $HOME/Library/App Store/storeuserd
  • $HOME/Library/com.apple.spotlight/SpotlightHelper
  • $HOME/Library/Dock/com.apple.dock.cache
  • $HOME/Library/Skype/SkypeHelper
  • $HOME/Library/Dropbox/DropboxCache
  • $HOME/Library/Google/Chrome/nacld
  • $HOME/Library/Firefox/Profiles/profiled
The malware seems to be dangerous but the researcher has not commented about how far it has reached and if it has done any real life widespread damages. But findings like these are a matter of concern as ease up the process of attacking millions of devices based on different platforms.

With the inputs from The Hacker News

If you have something to add, tell us in the comments below.

Follow the link and get 30% off on Python Penetration Testing With Kali Linux.

Aditya likes to cover topics related to Microsoft, Windows 10, Apple Watch, and interesting gadgets. But when he is not working, you can find him binge-watching random videos on YouTube (after he has wasted an hour on Netflix trying to find a good show).

Reach out at [email protected]

Similar Posts