Osx.mokes — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/osx.mokes/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 29 Jan 2024 12:00:00 +0000Firefox 0-day Drops OSX.Mokes.B Backdoor on macOShttps://feed.craftedsignal.io/briefs/2024-01-29-firefox-0day-mokes/Mon, 29 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-29-firefox-0day-mokes/A Firefox 0-day exploit was used to target Mac users, dropping a second backdoor identified as a new variant of the cross-platform Mokes malware (OSX.Mokes.B) with screen capture, audio capture, and document exfiltration capabilities.In June 2019, a Firefox 0-day exploit was leveraged to target employees at various cryptocurrency exchanges, deploying a previously unknown variant of the OSX.Mokes backdoor. This new variant, dubbed OSX.Mokes.B, shares significant code overlap and capabilities with the original OSX.Mokes discovered by Kaspersky in 2016. The malware, a 13MB 64-bit Mach-O binary, was initially undetected by VirusTotal engines. It installs itself under various names (quicklookd, storeaccountd), persists via launch agents, and communicates with a command and control server. The malware possesses capabilities including screen capture, audio recording, and the ability to discover and exfiltrate documents. The binaries are often very large due to statically linked libraries like OpenSSL. This campaign highlights the continued relevance of older malware families adapted for modern exploits and the importance of behavior-based detection to supplement signature-based AV.

Attack Chain

  1. Initial Access: A Firefox 0-day exploit is used to compromise a macOS system.
  2. Malware Dropper: The exploit drops a Mach-O executable (mac) to the /Users//Desktop/ directory.
  3. Installation: The malware copies itself to a location in the user’s Library directory, such as ~/Library/Dropbox/quicklookd or ~/Library/App Store/storeaccountd.
  4. Persistence: A launch agent plist file (e.g., quicklookd.plist or storeaccountd.plist) is created in ~/Library/LaunchAgents/ to ensure persistence across reboots. The plist file sets the “RunAtLoad” key to 1.
  5. Execution: The malware executes the copied binary from its new location using execve.
  6. Command and Control: The malware initiates an outbound TCP connection to the C2 server at 185.49.69.210 over HTTP.
  7. Data Collection: The malware leverages AVFoundation frameworks to capture screen and audio recordings.
  8. Data Exfiltration: The malware searches for and exfiltrates documents with extensions like *.doc, *.docx, *.xls, and *.xlsx.

Impact

Successful infection leads to persistent remote access, allowing the attacker to capture sensitive information, including screen recordings, audio, and documents. This can result in financial loss, intellectual property theft, and reputational damage. While the specific number of victims is unknown, the targeting of cryptocurrency exchanges suggests a focus on high-value targets. The malware’s capabilities align with those of a fully-featured backdoor, providing extensive control over compromised systems.

Recommendation

  • Monitor process creations for executables running from non-standard directories like ~/Library/Dropbox/ or ~/Library/App Store/ using the “Process Created from User Library Directory” Sigma rule.
  • Deploy the “OSX.Mokes C2 Communication” Sigma rule to detect network connections to the identified C2 server IP address (185.49.69.210).
  • Monitor for the creation of LaunchAgent plists that execute binaries from atypical installation paths, especially those masquerading as common system processes or applications based on the persistence steps described above.
  • Inspect network traffic for connections to 185.49.69.210 on port 80, and analyze the HTTP traffic for command and control patterns.
]]>highthreatmalwarebackdoorosx.mokesmacosfirefox