Most malware is specifically developed to take advantage of the Windows operating system platform however, cyber attackers have started creating cross-platform malware for wider exploitation.
Due to the rise in popularity of Mac OS X and other Windows desktop alternatives, hackers have begun designing cross-platform malware modularly for wide distribution.
Cross-platform malware is designed to run on multiple platforms such as Windows, Mac OS X, and Linux.
One such malware family has recently been discovered by researchers at Kaspersky Lab.
Stefan Ortloff, a researcher from Kaspersky Lab’s Global Research and Analysis Team, first discovered the Linux and Windows variants of this family of cross-platform backdoor malware in January this year.
Now, the researcher today confirmed the existence of an OS X variant of this malware family, explaining a technical breakdown of the backdoor in a post on Securelist.
Like the Linux and Windows variants, the OS X backdoor variant, Backdoor.OSX.Mokes.a, specializes in capturing audio-video, obtaining keystrokes as well as taking screenshots every 30 seconds from a victim’s machine.
The backdoor also has the capability to monitor removable storage like when a USB drive is connected to or removed from the computer.
It can also scan the file system for Office documents, including .docx, .doc, .xlsx, and .xls files.The OS X backdoor can also execute arbitrary commands on the victim’s computer. The backdoor establishes an encrypted connection with its command and control server and communicates using a secure connection.
Ortloff notes, right after execution, the OS X sample he analyzed copies itself to a handful of locations, including caches that belong to Skype, Dropbox, Google, and Firefox. This behavior is similar to the Linux variant that copied itself to locations belonging to Dropbox and Firefox after execution.
The researcher has not attributed the Mokes backdoor family to any hacking group, state-sponsored hacker or country, nor he detailed about the OS X backdoor’s infection vector and how widespread it is.
However, based on the currently available information, the backdoor seems to be a sophisticated piece of malware.