# The Missing Piece – Sophisticated OS X Backdoor Discovered **[securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/](https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/)** [Malware descriptions](https://securelist.com/category/malware-descriptions/) [Malware descriptions](https://securelist.com/category/malware-descriptions/) 07 Sep 2016 minute read ----- Authors ## In a nutshell Stefan Ortloff Backdoor.OSX.Mokes.a is the most recently discovered OS X variant of a crossplatform backdoor which is able to operate on all major operating systems (Windows,Linux,OS X). Please see also our analysis on the Windows and Linux variants. This malware family is able to steal various types of data from the victim’s machine (Screenshots, Audio-/Video-Captures, Office-Documents, Keystrokes) The backdoor is also able to execute arbitrary commands on the victim’s computer To communicate it’s using strong AES-256-CBC encryption ## Background Back in January this year we found a new family of cross-platform backdoors for desktop environments. After the discovery of the binaries for Linux and Windows systems, we have now finally come across the OS X version of Mokes.A. It is written in C++ using Qt, a crossplatform application framework, and is statically linked to OpenSSL. This leads to a filesize of approx. 14MB. Let’s have a look into this very fresh sample. ## “Unpacked” Backdoor.OSX.Mokes.a ----- Its filename was unpacked when we got our hands on it, but we re assuming that in-thewild it comes packed, just like its Linux variant. ### Startup When executed for the first time, the malware copies itself to the first available of the following locations, in this order: $HOME/Library/App Store/storeuserd $HOME/Library/com.apple.spotlight/SpotlightHelper $HOME/Library/Dock/com.apple.dock.cache $HOME/Library/Skype/SkypeHelper $HOME/Library/Dropbox/DropboxCache $HOME/Library/Google/Chrome/nacld $HOME/Library/Firefox/Profiles/profiled Corresponding to that location, it creates a plist-file to achieve persistence on the system: After that it’s time to establish a first connection with its C&C server using HTTP on TCP port 80: ----- The User-Agent string is hardcoded in the binary and the server replies to this “heartbeat” request with “text/html” content of 208 bytes in length. Then the binary establishes an encrypted connection on TCP port 443 using the AES-256-CBC algorithm. ### Backdoor functionality Its next task is to setup the backdoor features: **Capturing Audio** ----- **Monitoring Removable Storage** **Capturing Screen (every 30 sec.)** **Scanning the file system for Office documents (xls, xlsx, doc, docx)** The attacker controlling the C&C server is also able to define own file filters to enhance the monitoring of the file system as well as executing arbitrary commands on the system. ----- Just like on other platforms, the malware creates several temporary files containing the collected data if the C&C server is not available. $TMPDIR/ss0-DDMMyy-HHmmss-nnn.sst (Screenshots) $TMPDIR/aa0-DDMMyy-HHmmss-nnn.aat (Audiocaptures) $TMPDIR/kk0-DDMMyy-HHmmss-nnn.kkt (Keylogs) $TMPDIR/dd0-DDMMyy-HHmmss-nnn.ddt (Arbitrary Data) DDMMyy = date: 070916 = 2016-09-07 HHmmss = time: 154411 = 15:44:11 nnn = milliseconds If the environment variable $TMPDIR is not defined, “/tmp/” is used as the location [(http://doc.qt.io/qt-4.8/qdir.html#tempPath).](http://doc.qt.io/qt-4.8/qdir.html#tempPath) ### Hints from the author The author of this malware again left some references to the corresponding source files: ### Detection We detect this type of malware as HEUR:Backdoor.OSX.Mokes.a ## IOCs **Hash:** 664e0a048f61a76145b55d1f1a5714606953d69edccec5228017eb546049dc8c ----- **Files:** $HOME/LibraryApp Store/storeuserd $HOME/Library/com.apple.spotlight/SpotlightHelper $HOME/Library/Dock/com.apple.dock.cache $HOME/Library/Skype/SkypeHelper $HOME/Library/Dropbox/DropboxCache $HOME/Library/Google/Chrome/nacld $HOME/Library/Firefox/Profiles/profiled $HOME/Library/LaunchAgents/$filename.plist $TMPDIR/ss*-$date-$time-$ms.sst $TMPDIR/aa*-$date-$time-$ms.aat $TMPDIR/kk*-$date-$time-$ms.kkt $TMPDIR/dd*-$date-$time-$ms.ddt **Hosts:** 158.69.241[.]141 jikenick12and67[.]com cameforcameand33212[.]com **User-Agent:** Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A [Apple MacOS](https://securelist.com/tag/apple-macos/) [Backdoor](https://securelist.com/tag/backdoor/) [Linux](https://securelist.com/tag/linux/) [Microsoft Windows](https://securelist.com/tag/microsoft-windows/) [Non-Windows Malware](https://securelist.com/tag/non-windows-malware/) Authors Stefan Ortloff The Missing Piece – Sophisticated OS X Backdoor Discovered Your email address will not be published. Required fields are marked * GReAT webinars From the same authors ----- ### New wave of Mirai attacking home routers Beware of Backdoored Linux Mint ISOs ----- ### From Linux to Windows – New Family of Cross-Platform Desktop Backdoors Discovered Shellshock and its early adopters Spammy Facebook friends from the neighborhood ----- Subscribe to our weekly e-mails The hottest research right in your inbox -----