{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/osx.mokes/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Firefox","macOS","OSX.Mokes"],"_cs_severities":["high"],"_cs_tags":["malware","backdoor","osx.mokes","macos","firefox"],"_cs_type":"threat","_cs_vendors":["Mozilla","Apple","Kaspersky"],"content_html":"\u003cp\u003eIn June 2019, a Firefox 0-day exploit was leveraged to target employees at various cryptocurrency exchanges, deploying a previously unknown variant of the OSX.Mokes backdoor. This new variant, dubbed OSX.Mokes.B, shares significant code overlap and capabilities with the original OSX.Mokes discovered by Kaspersky in 2016. The malware, a 13MB 64-bit Mach-O binary, was initially undetected by VirusTotal engines. It installs itself under various names (quicklookd, storeaccountd), persists via launch agents, and communicates with a command and control server. The malware possesses capabilities including screen capture, audio recording, and the ability to discover and exfiltrate documents. The binaries are often very large due to statically linked libraries like OpenSSL. This campaign highlights the continued relevance of older malware families adapted for modern exploits and the importance of behavior-based detection to supplement signature-based AV.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: A Firefox 0-day exploit is used to compromise a macOS system.\u003c/li\u003e\n\u003cli\u003eMalware Dropper: The exploit drops a Mach-O executable (mac) to the /Users/\u003cuser\u003e/Desktop/ directory.\u003c/li\u003e\n\u003cli\u003eInstallation: The malware copies itself to a location in the user\u0026rsquo;s Library directory, such as ~/Library/Dropbox/quicklookd or ~/Library/App Store/storeaccountd.\u003c/li\u003e\n\u003cli\u003ePersistence: A launch agent plist file (e.g., quicklookd.plist or storeaccountd.plist) is created in ~/Library/LaunchAgents/ to ensure persistence across reboots. The plist file sets the \u0026ldquo;RunAtLoad\u0026rdquo; key to 1.\u003c/li\u003e\n\u003cli\u003eExecution: The malware executes the copied binary from its new location using execve.\u003c/li\u003e\n\u003cli\u003eCommand and Control: The malware initiates an outbound TCP connection to the C2 server at 185.49.69.210 over HTTP.\u003c/li\u003e\n\u003cli\u003eData Collection: The malware leverages AVFoundation frameworks to capture screen and audio recordings.\u003c/li\u003e\n\u003cli\u003eData Exfiltration: The malware searches for and exfiltrates documents with extensions like *.doc, *.docx, *.xls, and *.xlsx.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful infection leads to persistent remote access, allowing the attacker to capture sensitive information, including screen recordings, audio, and documents. This can result in financial loss, intellectual property theft, and reputational damage. While the specific number of victims is unknown, the targeting of cryptocurrency exchanges suggests a focus on high-value targets. The malware\u0026rsquo;s capabilities align with those of a fully-featured backdoor, providing extensive control over compromised systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creations for executables running from non-standard directories like ~/Library/Dropbox/ or ~/Library/App Store/ using the \u0026ldquo;Process Created from User Library Directory\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;OSX.Mokes C2 Communication\u0026rdquo; Sigma rule to detect network connections to the identified C2 server IP address (185.49.69.210).\u003c/li\u003e\n\u003cli\u003eMonitor for the creation of LaunchAgent plists that execute binaries from atypical installation paths, especially those masquerading as common system processes or applications based on the persistence steps described above.\u003c/li\u003e\n\u003cli\u003eInspect network traffic for connections to 185.49.69.210 on port 80, and analyze the HTTP traffic for command and control patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"/briefs/2024-01-29-firefox-0day-mokes/","summary":"A Firefox 0-day exploit was used to target Mac users, dropping a second backdoor identified as a new variant of the cross-platform Mokes malware (OSX.Mokes.B) with screen capture, audio capture, and document exfiltration capabilities.","title":"Firefox 0-day Drops OSX.Mokes.B Backdoor on macOS","url":"https://feed.craftedsignal.io/briefs/2024-01-29-firefox-0day-mokes/"}],"language":"en","title":"CraftedSignal Threat Feed — OSX.Mokes","version":"https://jsonfeed.org/version/1.1"}