Mokes: A Cross-Platform Malware In Windows, Linux, Mac OS X

Not too long ago malware was a topic discussed only among Windows users because they weren’t sure of security and this was due to how popular the Windows OS is. But now, as other OS platforms have become famous too cyber attacks are being made to be more sophisticated and kind of easier to execute – hackers are developing one-stop hacking solutions in the form of cross-platform malware! That’s right.Single malicious programs specifically designed to exploit the backdoors of various OSes.


At the begining of this year in January, security researcher, Stefan Ortloff, of Kaspersky Lab just made a report about Mokes, a similar kind of backdoor for Linux and Windows platforms.

The backdoor malware specific to Linux is called DropboxCache aka Backdoor.Linux.Mokes.a and it comes wrapped in a UPX ( Ultimate Packer for eXecutables) file. It replicates itself to the following locations if it sees reason to after its first execution on a Linux machine:

  • $HOME/$QT-GenericDataLocation/.mozilla/firefox/profiled
  • $HOME/$QT-GenericDataLocation/.dropbox/DropboxCache

This 32-bit Mokes.a variant for Windows is called OLMyJuxM.exe aka Backdoor.Win32.Mokes.imv. It is an executable file that copies itself to nine locations in the %AppData% folder on the affected Windows machine as well creates an entry in Windows Registry.

What’s the Mokes.a capable of?

Ortloff refers to the Mokes malware as a great spy because it establishes an encrypted connection to a C&C (Command and Control) Server via an AES 256-CBC encryption which allows it to capture user keystrokes, scan for files on the machine, automatically take screenshots every 30 secs, record audio and video clips, and monitor USB storage. It is also capable of sending all the data it collects to its attacker-controlled C&C server.

What about when the host device is disconnected from the internet? Well, this malware can easily create a temporary file of the collected data and keep it to transfer later.

The Missing Piece

Many months have passed and now, Ortloff has managed to locate the brother of Mokes.a on the Mac OS X. Backdoor.OSX.Mokes.a is written in C++ via the cross-platform Qt framework and has similar capabilities to other variants.

The malware variant on Mac OS X replicates itself in the locations below:

  •  $HOME/Library/App Store/storeuserd
  • $HOME/Library/
  • $HOME/Library/Dock/
  • $HOME/Library/Skype/SkypeHelper
  • $HOME/Library/Dropbox/DropboxCache
  • $HOME/Library/Google/Chrome/nacld
  • $HOME/Library/Firefox/Profiles/profiled
Our guess is that this malware is dangerous but we are yet to receive comments from the researcher as to how far it has reached and an analysis of ay damages it has caused – if there are any. For now, we will just have to wait.
It seems hackers are beginning to spread their attention across platforms and that’s unsettling. Tell us what you think about this malware in the comments below.

About The Author
Martins Okoi
Computer Science enthusiasts with a passion for learning new things. In my spare time, I listen to music, read like a compiler, and learn like an A.I algorithm.

Leave a Response