Kaspersky Lab have discovered a sophisticated strain of malware which has shifted across platforms in order to target Mac OS X users. They revealed the existence of Backdoor.OSX.Mokes, an OS X-based variation of the Mokes malware family which was discovered back in January. According to the team, the malicious code is now able to operate on all major operating systems including Windows, Linux and Mac. IT security experts from Redscan, AlienVault and ESET commented below.

Robert Page, Lead Penetration Tester at Redscan:

“The creation of malware is becoming increasingly industrialised. Similar to commercial software, being able to run on multiple platforms allows for a greater install base.

It’s interesting the malware does not appear to have built in functionality to capture financial data. This could suggest it’s designed for use against specific targets, rather than attempting to compromise financial information at scale. This is in contrast to OSX.Mokes.a which was a type of ransomware which demanded users pay one bitcoin to gain access to their files again.

One powerful technology within Mac OS X which would prevent this type of malware is “Gatekeeper”, which is available in Mac OS X 10.7.5 onwards. This prevents executables from running if they have not been cryptographically signed by the software developer.

OSX/Keydnap bypassed Mac OS X Gatekeeper by infecting the Transmission torrent client website and signing the Transmission client executables using a stolen certificate. Kaspersky don’t comment on the method OSX.Mokes.a uses to infect hosts so it’s difficult to say if it’s using a similar technique to OSX/Keydnap to infect systems.

The best way for users to protect themselves is not to run un-trusted software, ensuring their software is up to date and running anti-virus software.”

Jaime Blasco, Vice President and Chief Scientist at AlienVault:

“The use of cross-platform malware is not new. Actually, we reported a few cases in the past of attackers targeting MacosX and Windows with similar backdoors and the same Java exploit.

The malware has keylogging capabilities and it is able to steal files, take screenshots and capture audio/video, similar capabilities to other “sophisticated” MacOSX malware we analyzed recently.”