Security researchers have identified the Mac version of a backdoor trojan that was previously thought to infect only Linux and Windows systems.
Discovered in January 2016 under the name Linux.Ekocms, this backdoor trojan was believed to be capable of infecting Linux computers only, allowing attackers to record audio and take screenshots on infected machines.
Ten days later after researchers from Dr.Web uncovered the Linux version, the other big Russian antivirus maker, Kaspersky, discovered a Windows alternative that featured most of the same features, trojan which they detected under the name Mokes.
Researchers foresaw a Mac variant last January
During its analysis of the Windows Mokes samples, Kaspersky observed that the trojan was coded in C++ and Qt, a cross-platform application framework that would have allowed Mokes, at least in theory, to target Mac devices as well.
After a period of general calm, Kaspersky announced today it detected the first samples of the Mokes trojan capable of infecting Mac OS X systems.
Just like its Linux and Windows predecessors, the OS X version of Mokes features the same spying capabilities.
The trojan can infect Mac computers, where it opens an encrypted connection (via AES-256-CBC) with its C&C server.
Mokes used to take screenshots, record audio and video
Once the crook has a direct line to infected Mac devices, he can send commands to the trojan to perform several actions, such as logging keystrokes, scanning for office-related documents, capturing audio and video from the device’s microphone and camera, or taking screenshots of the user’s desktop.
In recent months, the number of malware targeting Linux and Mac devices have gone up to record numbers.
For example, just in July, security researchers from Bitdefender discovered another backdoor trojan called Eleanor that used Tor to open connections on infected devices and steal data.
A day later after Bitdefender’s discovery, security researchers from ESET detected Keydnap, a Mac trojan that could extract passwords from the Keychain utility and send them to the attacker’s server.
