Mokes malware

Mokes malware – malicious software that targets users’ banking credentials

Mokes malware
Mokes malware is a sophisticated backdoor designed to steal personal information from the host machine by employing keylogging, screenshot-taking, and other capabilities

Mokes malware
Mokes malware is a sophisticated backdoor designed to steal personal information from the host machine by employing keylogging, screenshot-taking, and other capabilities

Mokes is a cross-platform backdoor that was first discovered in 2016 by Kaspersky security researchers.[1] Malware targets Windows, macOS/Mac OS X, as well as Linux users and is packed of various capabilities, including data theft, keystroke capture, screenshot making, audio/video footage recording, and much more. While over the years, the developers used different tactics to distribute the malware, most recently Mokes virus was spotted being delivered with the help of online scams, which shows users that the security certificate has expired as soon as they land on a malicious website.[2]

Mokes malware removal is crucial to every computer owner who was infected with it. In case it is allowed to run for a prolonged time, it can steal and deliver the most sensitive data to malicious actors behind it. As a result, victims might suffer from monetary losses, installation of other malware, or even identity theft.

Name Mokes malware
Type Backdoor
Platform The malware is cross-platform – it targets Windows (Backdoor.Win32.Mokes.imv), macOS (OSX.Mokes), and Linux (Backdoor.Linux.Mokes.a) users
Distribution The malware is delivered with the help of various methods, including spam emails, exploits, file sharing sites, hacked sites, and, most recently, fake security certificate alerts
  • Creates a backdoor that allows propagation of other malware
  • Connects to a remote Command & Control server to receive and execute commands
  • Steals banking login details and financial information
  • Logs keystrokes
  • Takes screenshots and records video
  • Monitors USB storage, etc. 
Dangers  Infection of another malware, such as ransomware, financial losses, identity theft 
Symptoms  Rarely any, although more advanced users can spot new folders and other entries created by Mokes
Termination Use reputable anti-malware software that can detect and eliminate malware and all its files from the system safely – we recommend using SpyHunter 5Combo Cleaner or Malwarebytes 
System fix In case your Windows system is malfunctioning after you get rid of the infection (lag, crashes, errors), you can repair virus damage with the help of Reimage Reimage Cleaner Intego 

Mokes malware is a sophisticated backdoor that can steal information without victims noticing its presence on the device. As a result, they might suffer from significant monetary losses due to banking credential theft and also be exposed to the Dark Web, which means that the stolen data can be used to purchase goods online in victims’ names, take out loans, etc. In other words, Mokes virus can result in identity theft, which can be disastrous to any individual.

Over time, Mokes malware developers used a variety of distribution techniques, including:

  • spam email attachments
  • targeted phishing attacks
  • (zero-day) exploits
  • repacked software installers
  • fake updates, etc.

Once executed, Mokes virus will begin the infection of the system, which also differs, depending on the platform that is used. After the infiltration, malware will drop a variety of malicious files on the infected device and also connect to a remote C&C server, which is used to deliver stolen information, as well as receive commands from malicious actors.

Mokes malware will begin to steal valuable data from the infected individual, including keystrokes, which means that everything that is typed on online banking, social media, and other websites can be retrieved by cybercriminals. Additionally, it may take screenshots every 30 seconds and also record audio. Unfortunately, because Mokes is a silent virus, most users will be unaware that it is operating in the background and stealing an excessive amount of information about them.

Therefore, the only way to detect and remove Mokes malware is by employing anti-virus software that can scan the machine thoroughly and eliminate all the malicious files and traces. Additionally, to fix virus damage, users are recommended using Reimage Reimage Cleaner Intego.

Mokes malware recreates its nine times in different locations on Windows

When the Windows version of the malware was initially noticed, it also came with a valid certificate – it meant that users were not asked whether they want to execute the malicious file on their computers.

Upon infiltration on Windows machines, Mokes malware chooses nine random locations on Windows’ %AppData% folder and then copies itself there. Additionally, the virus creates a folder called “version,” which holds information about a version of the installed malicious software.

Mokes virus
Mokes malware is a malicious program that communicates with a remote server by using encrypted connection

Mokes virus
Mokes malware is a malicious program that communicates with a remote server by using encrypted connection

For persistence, Mokes virus will create the registry keys under the following entry (this ensures that malware launches with every Windows boot – typical behavior of most malicious programs):


Later, Mokes malware uses a built-in Windows API in order to enable the keylogger functionality on the computer, as well as record the mouse inputs of the victim. As a final step, it contacts its C&C server, which it can receive commands from every 60 seconds. All the communications are encrypted with a secure AES encryption algorithm, along with all the stolen data from the victim’s machine.

Mokes for Mac creates a folder that may seem legitimate to regular users

On macOS, Mokes malware is known as OSX.Mokes or Backdoor.OSX.Mokes.a, and is written in C++ by utilizing the Qt framework. Initially, Apple patched the vulnerability that was used to proliferate the infection, but new variants of Mokes virus soon showed up, and these could bypass the newly implemented security measures.

Just like on Windows, Mokes malware typically operates silently in the background, without showing any signs or symptoms to regular users. Nevertheless, some might notice suspicious or erratic Mac behavior when the infection is present. For example, if you notice pop-ups like “ wants access to control” should never be ignored, as it is an unusual behavior of the computer.

After gaining access to a Mac, Mokes will create a new folder labeled as “App Store” in the Home Library folder. This folder typically does not exist on macOS systems, but the name is used to deliberately mislead users if they happen to encounter it on their devices. Inside, it will create a service “storeuserd,” which is used to hide Mokes from being detected.

As evident, some macOS users still claim that malware is not an issue to this platform – malware strains like Mokes, Shlayer TrojanCrescentCore, and many others prove that Macs need extra protection. Besides, the 2019 malware report, delivered by Malwarebytes researchers, claimed that Mac malware is outpacing even Windows machines.

Mokes malware distribution and avoidance techniques

Malicious actors behind the campaign used a variety of techniques to distribute the malicious program. Security researchers spotted it abusing the zero-day vulnerability within the Mozilla Firefox web browser[3] – once users land on a specially crafted site (via the redirects or adware), a weak spot within the software is abused to insert malware automatically. Thus, users are injected with malicious payload without performing any actions at all. Hence, it is vital to patch all the installed software with security updates as soon as possible (this includes the operating system as well).

Another popular technique used by attackers is spam email attachments. These typically include various attributes of legitimate and well-known companies like UPS or Amazon. Using social engineering, malicious actors pretend to be representatives of these corporations and urge users to open the attached file. Thus, make sure you never open an executable file clipped to the mail, or never allow MS Office files to run macro function.

In mid- January 2020, Mokes malware was spotted in a phishing campaign abuse the trusted certificate feature on various websites, including zoo and e-commerce sites. Upon entering the page, users were met with the following message:

Security Certificate is out of date

Detected a potential security risk and has not extended the transition of
Installing a security certificate may allow this connection to succeed.


Submit to to Google URL and content of some visited pages as well as limited system information to enhance the security of Chrome. Privacy policy.

Install (Recommended)

Because the alert uses formatting and attributes that are typical to Google Chrome’s warning alerts, many users might not suspect a thing and proceed with the installation process of the “Certificate_Update_v02.2020.exe,” which is actually Mokes malware payload. To avoid the deception, you should use sophisticated anti-malware tools along with web protection shields on your machine.

Mokes malware delivery
Mokes malware was spotted being delivered with the help of fake certificates

Mokes malware delivery
Mokes malware was spotted being delivered with the help of fake certificates

Terminate Mokes malware

As previously mentioned, Mokes virus is a stealthy backdoor that typically does not emit any symptoms. Therefore, unless you are an advanced user who knows about which files belong to the OS and which are imported by malware, you most likely never know that it is running on the background of your Windows, macOS, or Linux computer. Thus, you should employ anti-malware software to remove Mokes malware from your system at once. If you keep up-to-date security software on your computer, you can avoid most of the malicious intrusions in the future.

Note that Mokes malware removal might get interrupted due to its functionality. In such a case, you can access Safe Mode with Networking, as explained below, and perform a full system scan from there. Additionally, we highly advise you to monitor your online banking activities for unauthorized transactions, as these can often be reverted after contacting the bank. In case you find your credit card compromised, contact your bank and close it down immediately.

Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.

This entry was posted on 2020-03-18 at 05:16 and is filed under Malware, Viruses.