Connect with us

Hi, what are you looking for?


Endpoint Security

DropboxCache Cross-Platform Backdoor Targets OS X

DropboxCache, a Linux backdoor that was found earlier this year to have migrated to Windows, is targeting Mac OS X devices as well, Kaspersky Lab security researchers warn.

DropboxCache, a Linux backdoor that was found earlier this year to have migrated to Windows, is targeting Mac OS X devices as well, Kaspersky Lab security researchers warn.

Also known as Mokes.A or Backdoor.OSX.Mokes.a, DropboxCache is written in C++ using Qt, which is a cross-platform application framework, Kaspersky researchers explain. Moreover, the malware is statically linked to OpenSSL and has a filesize of around 14MB.

The cross-platform backdoor that now operates on all major operating systems was also designed with spying capabilities, and is able to steal screenshots, audio-/video-captures, Office documents, and keystrokes from compromised machines. On top of that, it can execute arbitrary commands on the victim’s computer and communicates with its command and control (C&C) server using strong AES-256-CBC encryption.

The OS X variant of DropboxCache, researchers say, is supposedly being distributed packed, just as its Linux counterpart. After the initial execution, the backdoor copies itself to a specific location in $HOME/Library/, the first it finds available from a pre-defined list. Moreover, it creates a plist-file corresponding to that location, which allows it to achieve persistence on the system.

Next, the malware establishes a connection to the C&C server using HTTP on TCP port 80. As Kaspersky’s Stefan Ortloff explains, the User-Agent string is hardcoded in the binary, the server replies to this first request with “text/html” content, then an encrypted connection on TCP port 443 using the AES-256-CBC algorithm is established.

As soon as the connection has been established, the malware sets up its backdoor features, which include capturing audio, monitoring removable storage, capturing screenshots every 30 seconds, and scanning the file system for Office documents (xls, xlsx, doc, docx). Moreover, the malware’s operator “can define own file filters to enhance the monitoring of the file system as well as executing arbitrary commands on the system,” Kaspersky says.

The OS X variant of the backdoor can also create a series of temp files that include the collected data, but only if the C&C server isn’t available. The functionality was observed on the malware’s Linux and Windows versions as well.

Advertisement. Scroll to continue reading.

Related: OS X Backdoor Provides Unfettered Access to Mac Systems

Related: New Cross-Platform Backdoors Target Linux, Windows

Related: Windows Backdoor Ported to Mac OS X, Used in Targeted Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.