New OS X malware: Mokes A, a powerful backdoor

Stefan Ortloff of Kaspersky Lab’s SecureList has just announced the discovery of new malware which affects OS X, officially named Backdoor.OSX.Mokes.a. His detailed account is here.

This is a variant of backdoor malware which Kaspersky has now found affecting Windows, Linux, and now OS X. It enables an attacker to steal a wide range of information from an infected Mac, including screenshots, documents, keystrokes, and more. The malware can also execute commands, and communicates using encrypted data transfer to the remote system which is controlling it. In other words, your Mac is taken over by the attacker.

It is currently not clear how the malware is obtained, but it is most probably sent as a mail attachment or delivered as an unwanted download from a website. The file is quite small, only around 14 MB, and is easy to miss.

There are several obvious signs of infection, including the creation of a new folder in a user’s Home Library folder ~/Library named App Store, which contains a background service named storeuserd. El Capitan should not have that folder or file: if your Mac has both, then you can be certain that it is infected.

Patrick Wardle of Objective-See reports that its persistence is detected by his BlockBlock tool, and commercial anti-virus products will also detect it in due course.