A cross-platform malware, attacking also Windows and Linux operating systems, which opens a backdoor to an infected machine. It is unknown how this malware propagates to macOS machines, and the only evidence of it is an unpacked version of the malware on VirusTotal.Mokes is able to perform the actions below:

  • Take screenshots
  • Capture audio and video
  • Steal Office documents
  • Record keystrokes
  • Execute additional commandsOnce executed, the malware will copy itself to the first available location:
    • $HOME/Library/AppStore/storeuserd
    • $HOME/Library/com.apple.spotlight/SpotlightHelper
    • $HOME/Library/Dock/com.apple.dock.cache
    • $HOME/Library/Skype/SkypeHelper
    • $HOME/Library/Dropbox/DropboxCache
    • $HOME/Library/Google/Chrome/nacld
    • $HOME/Library/Firefox/Profiles/profiled

The malware will create a LaunchAgent corresponding to the file created above to persist itself on system reboot.To keep stolen information, Mokes uses temporary files with different extensions for each data type:

  • $TMPDIR/ss0-DDMMyy-HHmmss-nnn.sst (Screenshots)
  • $TMPDIR/aa0-DDMMyy-HHmmss-nnn.aat (Audiocaptures)
  • $TMPDIR/kk0-DDMMyy-HHmmss-nnn.kkt (Keylogs)
  • $TMPDIR/dd0-DDMMyy-HHmmss-nnn.ddt (Arbitrary Data)


Links:


Samples:
1e8568e61b75a68ed7481cf0619f643af76bf889