DropboxCache, a Linux backdoor that was found earlier this year to have migrated to Windows, is targeting Mac OS X devices as well, Kaspersky Lab security researchers warn.
Also known as Mokes.A or Backdoor.OSX.Mokes.a, DropboxCache is written in C++ using Qt, which is a cross-platform application framework, Kaspersky researchers explain. Moreover, the malware is statically linked to OpenSSL and has a filesize of around 14MB.
The cross-platform backdoor that now operates on all major operating systems was also designed with spying capabilities, and is able to steal screenshots, audio-/video-captures, Office documents, and keystrokes from compromised machines. On top of that, it can execute arbitrary commands on the victim’s computer and communicates with its command and control (C&C) server using strong AES-256-CBC encryption.
The OS X variant of DropboxCache, researchers say, is supposedly being distributed packed, just as its Linux counterpart. After the initial execution, the backdoor copies itself to a specific location in $HOME/Library/, the first it finds available from a pre-defined list. Moreover, it creates a plist-file corresponding to that location, which allows it to achieve persistence on the system.
Next, the malware establishes a connection to the C&C server using HTTP on TCP port 80. As Kaspersky’s Stefan Ortloff explains, the User-Agent string is hardcoded in the binary, the server replies to this first request with “text/html” content, then an encrypted connection on TCP port 443 using the AES-256-CBC algorithm is established.
As soon as the connection has been established, the malware sets up its backdoor features, which include capturing audio, monitoring removable storage, capturing screenshots every 30 seconds, and scanning the file system for Office documents (xls, xlsx, doc, docx). Moreover, the malware’s operator “can define own file filters to enhance the monitoring of the file system as well as executing arbitrary commands on the system,” Kaspersky says.
The OS X variant of the backdoor can also create a series of temp files that include the collected data, but only if the C&C server isn’t available. The functionality was observed on the malware’s Linux and Windows versions as well.
Related: OS X Backdoor Provides Unfettered Access to Mac Systems
Related: New Cross-Platform Backdoors Target Linux, Windows
Related: Windows Backdoor Ported to Mac OS X, Used in Targeted Attacks