{ "id": "ccbd8633-cbc7-4190-bbdf-9eab3b2c427b", "created_at": "2026-04-06T00:22:27.310338Z", "updated_at": "2026-04-10T13:11:44.5056Z", "deleted_at": null, "sha1_hash": "f1ec687baa6bb9cd5560722145e638819917432c", "title": "The Missing Piece - Sophisticated OS X Backdoor Discovered", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 349904, "plain_text": "The Missing Piece - Sophisticated OS X Backdoor Discovered\r\nBy Stefan Ortloff\r\nPublished: 2016-09-07 · Archived: 2026-04-05 17:33:11 UTC\r\nIn a nutshell\r\nBackdoor.OSX.Mokes.a is the most recently discovered OS X variant of a cross-platform backdoor which\r\nis able to operate on all major operating systems (Windows,Linux,OS X). Please see also our analysis on\r\nthe Windows and Linux variants.\r\nThis malware family is able to steal various types of data from the victim’s machine (Screenshots,\r\nAudio-/Video-Captures, Office-Documents, Keystrokes)\r\nThe backdoor is also able to execute arbitrary commands on the victim’s computer\r\nTo communicate it’s using strong AES-256-CBC encryption\r\nBackground\r\nBack in January this year we found a new family of cross-platform backdoors for desktop environments. After the\r\ndiscovery of the binaries for Linux and Windows systems, we have now finally come across the OS X version of\r\nMokes.A. It is written in C++ using Qt, a cross-platform application framework, and is statically linked to\r\nOpenSSL. This leads to a filesize of approx. 14MB. Let’s have a look into this very fresh sample.\r\n“Unpacked” Backdoor.OSX.Mokes.a\r\nIts filename was “unpacked” when we got our hands on it, but we’re assuming that in-the-wild it comes packed,\r\njust like its Linux variant.\r\nStartup\r\nWhen executed for the first time, the malware copies itself to the first available of the following locations, in this\r\norder:\r\n$HOME/Library/App Store/storeuserd\r\n$HOME/Library/com.apple.spotlight/SpotlightHelper\r\n$HOME/Library/Dock/com.apple.dock.cache\r\n$HOME/Library/Skype/SkypeHelper\r\n$HOME/Library/Dropbox/DropboxCache\r\n$HOME/Library/Google/Chrome/nacld\r\n$HOME/Library/Firefox/Profiles/profiled\r\nhttps://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/\r\nPage 1 of 6\n\nCorresponding to that location, it creates a plist-file to achieve persistence on the system:\r\nAfter that it’s time to establish a first connection with its C\u0026C server using HTTP on TCP port 80:\r\nThe User-Agent string is hardcoded in the binary and the server replies to this “heartbeat” request with “text/html”\r\ncontent of 208 bytes in length. Then the binary establishes an encrypted connection on TCP port 443 using the\r\nAES-256-CBC algorithm.\r\nBackdoor functionality\r\nIts next task is to setup the backdoor features:\r\nhttps://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/\r\nPage 2 of 6\n\nCapturing Audio\r\nMonitoring Removable Storage\r\nCapturing Screen (every 30 sec.)\r\nScanning the file system for Office documents (xls, xlsx, doc, docx)\r\nhttps://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/\r\nPage 3 of 6\n\nThe attacker controlling the C\u0026C server is also able to define own file filters to enhance the monitoring of the file\r\nsystem as well as executing arbitrary commands on the system.\r\nJust like on other platforms, the malware creates several temporary files containing the collected data if the C\u0026C\r\nserver is not available.\r\n$TMPDIR/ss0-DDMMyy-HHmmss-nnn.sst (Screenshots)\r\n$TMPDIR/aa0-DDMMyy-HHmmss-nnn.aat (Audiocaptures)\r\n$TMPDIR/kk0-DDMMyy-HHmmss-nnn.kkt (Keylogs)\r\n$TMPDIR/dd0-DDMMyy-HHmmss-nnn.ddt (Arbitrary Data)\r\nDDMMyy = date: 070916 = 2016-09-07\r\nHHmmss = time: 154411 = 15:44:11\r\nnnn = milliseconds\r\nIf the environment variable $TMPDIR is not defined, “/tmp/” is used as the location (http://doc.qt.io/qt-4.8/qdir.html#tempPath).\r\nHints from the author\r\nThe author of this malware again left some references to the corresponding source files:\r\nhttps://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/\r\nPage 4 of 6\n\nDetection\r\nWe detect this type of malware as HEUR:Backdoor.OSX.Mokes.a\r\nIOCs\r\nHash:\r\n664e0a048f61a76145b55d1f1a5714606953d69edccec5228017eb546049dc8c\r\nFiles:\r\n$HOME/LibraryApp Store/storeuserd\r\n$HOME/Library/com.apple.spotlight/SpotlightHelper\r\n$HOME/Library/Dock/com.apple.dock.cache\r\n$HOME/Library/Skype/SkypeHelper\r\n$HOME/Library/Dropbox/DropboxCache\r\n$HOME/Library/Google/Chrome/nacld\r\n$HOME/Library/Firefox/Profiles/profiled\r\n$HOME/Library/LaunchAgents/$filename.plist\r\n$TMPDIR/ss*-$date-$time-$ms.sst\r\n$TMPDIR/aa*-$date-$time-$ms.aat\r\n$TMPDIR/kk*-$date-$time-$ms.kkt\r\n$TMPDIR/dd*-$date-$time-$ms.ddt\r\nHosts:\r\n158.69.241[.]141\r\njikenick12and67[.]com\r\ncameforcameand33212[.]com\r\nhttps://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/\r\nPage 5 of 6\n\nUser-Agent:\r\nMozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3\r\nSafari/7046A194A\r\nSource: https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/\r\nhttps://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/" ], "report_names": [ "the-missing-piece-sophisticated-os-x-backdoor-discovered" ], "threat_actors": [], "ts_created_at": 1775434947, "ts_updated_at": 1775826704, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f1ec687baa6bb9cd5560722145e638819917432c.pdf", "text": "https://archive.orkl.eu/f1ec687baa6bb9cd5560722145e638819917432c.txt", "img": "https://archive.orkl.eu/f1ec687baa6bb9cd5560722145e638819917432c.jpg" } }