OSX.Mokes
Short bio
OSX.Mokes is Malwarebytes’ detection name for a backdoor that is aimed at MacOS systems.
Type and source of infection
OSX.Mokes is a general purpose backdoor that has been around since 2016. Most recently OSX.Mokes was spread by a 0-day exploit for Firefox sent out in a targeted attack as phishing mails.
Aftermath
Even though OSX.Mokes is believed to be part of a targeted attack, a backdoor opens up an affected system to additional malware, so it’s impossible to say if OSX.Mokes will be the only malware to be found on an infected system.
Protection
Malwarebytes for Mac detects and removes OSX.Mokes.
Remediation
Malwarebytes for Mac will detect and remove the components of this malware.
Download and install the latest version of Malwarebytes for Mac.
Click the “Scan Now” button to perform a system scan.
If threats are detected during the scan, a count of detected threats is displayed. More detailed threat information is displayed after the scan completes.
Click “Confirm” to move the detected threats to Quarantaine.
If a restart is required to complete remediation of threats detected during a scan, you will be notified. When a restart is required, please remember to save all work before clicking “Restart”.
Traces/IOCs
Filesystem:
~/Library/App Store/storeaccountd ~/Library/com.apple.spotlight/Spotlightd ~/Library/Skype/soagent ~/Library/Dropbox/quicklookd ~/Library/Google/Chrome/accountd ~/Library/Firefox/Profiles/profiled ~/Library/LaunchAgents/[name].plist where [name] matches the name of the executable, eg “accountd.plist”