The last time Hackerfall tried to access this page, it returned a not found error. A cached version of the page is below, or click here to continue anyway

The Missing Piece Sophisticated OS X Backdoor Discovered - Securelist

The Missing Piece – Sophisticated OS X Backdoor Discovered

In a nutshell


Back in January this year we found a new family of cross-platform backdoors for desktop environments. After the discovery of the binaries for Linux and Windows systems, we have now finally come across the OS X version of Mokes.A. It is written in C++ using Qt, a cross-platform application framework, and is statically linked to OpenSSL. This leads to a filesize of approx. 14MB. Let’s have a look into this very fresh sample.

“Unpacked” Backdoor.OSX.Mokes.a

Its filename was “unpacked” when we got our hands on it, but we’re assuming that in-the-wild it comes packed, just like its Linux variant.


When executed for the first time, the malware copies itself to the first available of the following locations, in this order:

Corresponding to that location, it creates a plist-file to achieve persistence on the system:

After that it’s time to establish a first connection with its C&C server using HTTP on TCP port 80:

The User-Agent string is hardcoded in the binary and the server replies to this “heartbeat” request with “text/html” content of 208 bytes in length. Then the binary establishes an encrypted connection on TCP port 443 using the AES-256-CBC algorithm.

Backdoor functionality

Its next task is to setup the backdoor features:

The attacker controlling the C&C server is also able to define own file filters to enhance the monitoring of the file system as well as executing arbitrary commands on the system.

Just like on other platforms, the malware creates several temporary files containing the collected data if the C&C server is not available.

DDMMyy = date: 070916 = 2016-09-07 HHmmss = time: 154411 = 15:44:11 nnn = milliseconds

If the environment variable $TMPDIR is not defined, “/tmp/” is used as the location (

Hints from the author

The author of this malware again left some references to the corresponding source files:


We detect this type of malware as HEUR:Backdoor.OSX.Mokes.a


Hash: 664e0a048f61a76145b55d1f1a5714606953d69edccec5228017eb546049dc8c

Files: $HOME/LibraryApp Store/storeuserd $HOME/Library/ $HOME/Library/Dock/ $HOME/Library/Skype/SkypeHelper $HOME/Library/Dropbox/DropboxCache $HOME/Library/Google/Chrome/nacld $HOME/Library/Firefox/Profiles/profiled $HOME/Library/LaunchAgents/$filename.plist $TMPDIR/ss*-$date-$time-$ms.sst $TMPDIR/aa*-$date-$time-$ms.aat $TMPDIR/kk*-$date-$time-$ms.kkt $TMPDIR/dd*-$date-$time-$ms.ddt

Hosts: 158.69.241[.]141 jikenick12and67[.]com cameforcameand33212[.]com

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A

Continue reading on