Mokes: This Single Malware Creates “Backdoor” In Windows, Linux, Mac OS X
Short Bytes: A cross-platform malware family has been reported by a security researcher from Kaspersky Lab. The malware can create a backdoor on Windows, Linux, and Mac OS X machines to collect data which can be transmitted to Command and Control Server over an encrypted connection.
A similar kind of backdoor called Mokes was reported for Linux and Windows operating systems by security researcher Stefan Ortloff of Kaspersky Lab in January this year.
For Linux, the backdoor malware called DropboxCache aka Backdoor.Linux.Mokes.a comes wrapped in a UPX ( Ultimate Packer for eXecutables) file. After initial execution on a Linux machine, it replicates itself to the following locations if it feels the need to do so,
- $HOME/$QT-GenericDataLocation/.mozilla/firefox/profiled
- $HOME/$QT-GenericDataLocation/.dropbox/DropboxCache
For Windows, this 32-bit Mokes.a variant has a name OLMyJuxM.exe aka Backdoor.Win32.Mokes.imv. As the name suggests it is an executable file. It copies itself to nine different locations in %AppData% folder on the affected Windows machine along with creating an entry in Windows Registry.
What Mokes.a can do?
Ortloff describes that the Mokes malware is a great spy. It establishes an encrypted connection to a C&C (Command and Control) Server using AES 256-CBC encryption. It can capture user keystrokes, scan for files like office documents on the machine, monitor USB storage, take screenshots every 30 secs, and record audio and video clips. It can send all the data to its C&C server which is controlled by the attacker.
The malware can also create a temporary file of the collected data if the C&C server is not available for transfer. For instance, when the host device is disconnected from the internet.
The Missing Piece
Several months later, Ortloff has managed to find the brother of the cross-platform backdoor family Mokes.a on the Mac OS X operating system. Backdoor.OSX.Mokes.a is written in C++ using the cross-platform framework Qt. It has similar capabilities as described for other variants.
The cross-platform malware variant on Mac OS X replicates itself in the following locations:
- Â $HOME/Library/App Store/storeuserd
- $HOME/Library/com.apple.spotlight/SpotlightHelper
- $HOME/Library/Dock/com.apple.dock.cache
- $HOME/Library/Skype/SkypeHelper
- $HOME/Library/Dropbox/DropboxCache
- $HOME/Library/Google/Chrome/nacld
- $HOME/Library/Firefox/Profiles/profiled
With the inputs from The Hacker News
If you have something to add, tell us in the comments below.
Follow the link and get 30% off on Python Penetration Testing With Kali Linux.