How to protect your Mac from Mokes: malware that steals bank details

What is Mokes?

First discovered in 2016 by cybersecurity experts at Kaspersky Lab, Mokes is a type of malware created specifically to steal login passwords and financial information. Anything valuable that the creators can profit from, either directly or selling the stolen data on the dark web.

Mokes is a fairly sophisticated cross-platform malware; it creates a backdoor into macOS, Windows, and Linux devices. Once infected, it will take screenshots every 30 seconds, steal keystroke data - which means it knows when you are logging into certain websites (your email, bank, etc.) - and therefore will know what passwords are typed in. If you keep passwords logged in your Mac Keychain, it can take that information too.

Not only that, but the command-and-control server can remotely hijack and take over any infected Mac. Pretty scary stuff! Even after Apple released urgent security updates and patches to counter this infection, it seems capable of overcoming those and undermining other weaknesses in the Apple operating system.


How do I know if I’m infected?

Sometimes, although not always, a Mac will start behaving unusually when infected with malware such as Mokes.

However, in many cases, the infection is silent and hidden unless you go looking or scan for this and other viruses. One place the Mokes malware virus is known to hide is the user’s Home Library Folder named ‘App Store.’ Within this folder is a background service named ‘storeuserd.’ This is not a real part of the Mac operating system; it is a fake, created to hide Mokes.

Security experts expect that this has spread through email downloads, file sharing sites, or adverts hiding malicious downloadable programs online. The file size is known to be 14MB, so it can hide fairly easily and wouldn’t take long to download. If you do download anything you aren't sure of and ask for your admin permission - play it safe and deny access. Otherwise, you risk giving it control of your Mac.

Everything it takes is sent to the command-and-control (C&C) server using AES 256-CBC encryption. Mokes is also capable of taking files and data from USB devices and other attached hard drives and recording video and audio.

Further analysis of this malware found that “Backdoor.OSX.Mokes.a is written in C++ using the cross-platform framework Qt. It has similar capabilities as described for other variants.”


How to remove Mokes?

Once downloaded, Mokes replicates itself and drops elements of its program in numerous Mac files and folders. If you want to remove this manually, go through the Finder menu and use Go to Folder to search in the following locations:

  • $HOME/Library/App Store/storeuserd
  • $HOME/Library/com.apple.spotlight/SpotlightHelper
  • $HOME/Library/Dock/com.apple.dock.cache
  • $HOME/Library/Skype/SkypeHelper
  • $HOME/Library/Dropbox/DropboxCache
  • $HOME/Library/Google/Chrome/nacld
  • $HOME/Library/Firefox/Profiles/profiled

Although it may not be obvious at first, folders that shouldn’t exist should appear during this searching process. Once you’ve found them, drag everything to the Trash and delete. To make sure you are free from any infections, restart your Mac after this is done.

Always be extra careful when removing application folders and anything in this area of your Mac. Unless you know for certain, there could be elements of functioning programs that you removed in error. Only remove what you know is malware, spyware, or another form of computer virus.


Another way to safely remove malware is with CleanMyMac X

CleanMyMac X is an all-in-one tool for complete Mac care. It has a powerful Smart Scan tool that includes cleanup, protection, and speed up tasks, and can optimize your Mac in just a click. 

CleanMyMac also has a separate Malware Removal tool that detects thousands of threats, including adware, spyware, worms, and different viruses. 

Removing Mokes is as simple as:

  1. Download CleanMyMac X here for free.
  2. Open the app.
  3. Click the Malware Removal tab.
  4. Click Scan to search for any viruses.
  5. Click Remove, and they will vanish.

Mokes is one of the more unpleasant types of malware in the wild. Infecting unsuspecting Macs and stealing valuable and vital data and passwords. If you have been infected, it is always a good idea to reset your passwords once this virus has been dealt with.

Laptop with CleanMyMac
CleanMyMac X

Your Mac. As good as new.