Watch out for Mokes: malicious malware that steals bank details
What is Mokes?
First discovered in 2016 by cyber security experts at Kaspersky Lab, Mokes is a type of malware that is created specifically with the goal of stealing login passwords and financial information. Anything valuable, that the creators can profit from, either directly or selling the stolen data on the dark web.
Mokes is a fairly sophisticated cross-platform malware; it creates a backdoor into macOS, Windows and Linux devices. Once infected, it will take screenshots every 30 seconds, steal keystroke data - which means it knows when you are logging into certain websites (your email, bank, etc.) - and therefore will know what passwords are typed in. If you keep passwords logged in your Mac Keychain, it can take that information too.
Not only that, but the command-and-control server can remotely hijack and take over any infected Mac. Pretty scary stuff! Even after Apple released urgent security updates and patches to counter this infection, it seems that it was capable of overcoming those and undermining other weaknesses in the Apple operating system.
How do I know if I’m infected?
Sometimes, although not always, a Mac will start behaving unusually when infected with malware such as Mokes.
However, in many cases, the infection is silent and hidden, unless you go looking or scan for this and other viruses. One place the Mokes malware virus is known to hide is user’s Home Library Folder named ‘App Store’. Within this folder is a background service named ‘storeuserd’. This is not a real part of the Mac operating system; it is a fake, created to hide Mokes.
Security experts expect the way this has spread is through email downloads, file sharing sites, or adverts hiding malicious downloadable programs online. The file size is known to be 14MB, so it can hide fairly easily and wouldn’t take long to download. If you do download anything you aren't sure of - and it asks for your admin permission - play it safe and deny access, otherwise you risk giving it control of your Mac.
Everything it takes is sent to the command-and-control (C&C) server using a AES 256-CBC encryption. Mokes is also capable of taking files and data from USB devices and other attached hard drives, and recording video and audio.
Further analysis of this malware found that “Backdoor.OSX.Mokes.a is written in C++ using the cross-platform framework Qt. It has similar capabilities as described for other variants.”
How to remove Mokes?
Once downloaded, Mokes replicates itself and drops elements of its program in numerous Mac files and folders. If you want to remove this manually, go through the Finder menu and use Go to Folder to search in the following locations:
Although it may not be obvious at first, folders that shouldn’t exist should appear during this searching process. Once you’ve found them, drag everything to the Trash and delete. To make sure you are free from any infections, restart your Mac after this is done.
Always be extra careful when removing application folders and anything in this area of your Mac. Unless you know for certain, there could be elements of functioning programs that you are removing in error. Only remove what you know is malware, spyware or other form of computer virus.
Another way to safely remove malware is with CleanMyMac X.
CleanMyMac X is all-in-one tool for complete Mac care. It has a powerful Smart Scan tool that includes cleanup, protection, and speedup tasks, and can optimize your Mac in just a click.
CleanMyMac also has a separate Malware Removal tool that detects thousands of threats, including adware, spyware, worms, and different viruses.
Removing Mokes is as simple as:
- Download CleanMyMac X here for free.
- Open the app.
- Click the Malware Removal tab.
- Click Scan to search for any viruses.
- Click Remove and they will vanish.
Mokes is one of the more unpleasant types of malware in the wild. Infecting unsuspecting Macs and stealing valuable and vital data and passwords. If you have been infected, it is always a good idea to reset your passwords once this virus has been dealt with.