Mac Users Watch Out! Hackers Are Selling MacSpy and MacRansom Malware
Apple macOS users were feeling lucky that WannaCrypt ransomware spared them the horror, a new ransomware has surfaced on the internet, which specifically infects macOS. Two new security hazards, a malware-as-a-service (MaaS) platform, and a ransomware-as-a-service (RaaS) program are designed particularly to target macOS.
Malware-as-a-Service (MaaS) portals
The Malware-as-a-Service (MaaS) portals are a part of the dark web, which offers malware as a service. The two new malware have been making rounds for two weeks now. Both the portals were launched on May 25 and were found by security checkers. The first portal is dubbed as MacSpy while the second one goes by the name MacRansom.
In simple words, these can be purchased by any user to attack other systems. Anyone can buy MacSpy and MacRansom by signing up for an email with their username and password. After it, they get an e-mail containing instruction to download a ZIP archive using the Tor browser. The malware becomes available after extracting the ZIP archive.
Both the websites look identical and are made by the same developer. The malware tools are up for sale and can be bought by anyone to infect other systems. The entire setup is run in a closed manner, which means that one has to contact the author behind the two malicious portals to get demo packages and discuss rates. It means that now anyone can buy these hazardous tools to settle scores with any mac user.
Stealing All The Stored Information
The data stolen via malware includes screenshots, keystrokes, photos synced with iCloud, browser information, recorded audio files, and retrieved clipboard content. All the data appears in the directories available on the user's account on the malware website. The standard version of MacSpy is available for free, but users can upgrade to an advanced version by shelling out unspecified amount via bitcoins. The advanced version offers features like access to emails and social accounts, retrieving files and data, encrypting user directory within seconds, and more.
What Researchers Say About MacSpy and MacRansom
Folks at Fortinet and AlienVault tested two samples of MacRansom and MacSpy, respectively. Below is what both of them found out after testing the fully-running demo versions of malware.
AlienVault researcher, Peter Ewane says about MacSpy:
Upon execution, successfully passing the anti-analysis checks and setting persistence, the malware then copies itself and associated files from the original point of execution to ~/Library/.DS_Stores/ and deletes the original files in an attempt to stay hidden from the user.
The malware then checks the functionality of its tor proxy by utilizing the curl command to contact the command and control server. After connecting to the CnC, the malware sends the data it had collected earlier, such as system information, by sending POST requests through the TOR proxy. This process repeats again for the various data the malware has collected. After exfiltration of the data, the malware deletes the temporary files containing the data it sent.
Similar to MacSpy, MacRansom also resorts to anti-debugging to get control over the system. It then encrypts the data on the system by using a TargetFileKey. Researchers at Fortinet believe that the encryption resource method is new. In the report they say:
A remarkable thing we observed when reverse-engineering the encryption/decryption algorithm is that the TargetFileKey is permuted with a random generated number. In other words, the encrypted files can no longer be decrypted once the malware has terminated – the TargetFileKey will be freed from program’s memory and hence it becomes more challenging to create a decryptor or recovery tool to restore the encrypted files.
Moreover, it doesn’t have any function to communicate with any C&C server for the TargetFileKey meaning there is no readily available copy of the key to decrypt the files. However, it is still technically possible to recover the TargetFileKey. One of the known techniques is to use a brute-force attack. It should not take very long for a modern CPU to brute-force an 8-byte long key when the same key is used to encrypt known files with predictable file’s contents.
After the encryption completes, the ransomware asks for 0.25 Bitcoins (approx. $700) from the owner of the infected system. Its ransom message commands users to send the amount to a ProtonMail address.
It is not yet clear how MacSpy and MacRansom are targeting the systems of undoubting Mac users. We think that it could be through mail spam campaigns and other exploit kits. As a note of caution, we would suggest all the Mac users be careful before clicking on any link in the e-mail or downloading any attachment. Also, keep your system updated with the latest software update. It would be even better if you keep a backup of your system.
Not Effective Enough, But The Threat Lingers
Fortinet and AlienVault published separate research stories on both MacSpy and MacRansom. However, their conclusion remains similar. The gist of the research by both is that the coder behind MacSpy and MacRansom lacks quality and is inexperienced. Despite creating two malware portals, has not done enough ground work for the codes to work effortlessly. However, the threat still remains. It would be better for the Mac users to practice caution.