Two new security threats, a malware-as-a-service (MaaS) platform and a ransomware-as-a-service (RaaS) program, are designed to specifically target machines running Apple macOS.
The MaaS platform, known as “MacSpy,” responds to what its authors feel is an ongoing lack of “sophisticated malware for Mac users”. Of course, that perception is not entirely accurate. We’ve seen numerous sophisticated malware strains developed for Macs over the past year or so.
It’s true, however, that MacSpy takes this budding proliferation to the next level by making macOS malware more accessible to users with low levels of technical expertise.
To get started with MacSpy, users sign up by emailing the author their preferred username and password. They then receive an email instructing them to download a ZIP archive using the Tor browser. Unzipping the archive launches the malware-as-a-service program.
When installed on a computer, the malware comes with numerous measures like anti-debugger checks in an attempt to avoid analysis. It also seeks to obtain persistence before executing. AlienVault researcher Peter Ewane explains what happens next:
“Upon execution, successfully passing the anti-analysis checks and setting persistence, the malware then copies itself and associated files from the original point of execution to ~/Library/.DS_Stores/ and deletes the original files in an attempt to stay hidden from the user. The malware then checks the functionality of its tor proxy by utilizing the curl command to contact the command and control server. After connecting to the CnC, the malware sends the data it had collected earlier, such as system information, by sending POST requests through the TOR proxy. This process repeats again for the various data the malware has collected. After exfiltration of the data, the malware deletes the temporary files containing the data it sent.”
The exfiltrated data, including screenshots, keystrokes, photos synced with iCloud, recorded audio files, retrieved clipboard content, and browser information, appears in directories that are accessible from the malware’s user web portal.
The “basic” MacSpy offering is free. But for an unspecified number of Bitcoins, users can gain even more functionality. These “advanced” features include the ability to access emails and social media accounts, retrieve any files/data, and encrypt the user directory within “in a few seconds.”
Its encryption capabilities aside, MacSpy is a quintessential spyware program.
Online criminals looking for a true ransomware package need to look elsewhere.
As it turns out, they don’t need to look too far; it appears the same authors are behind a ransomware-as-a-service platform known as MacRansom.
Like MacSpy, MacRansom also runs anti-debugging checks and tries to obtain persistence on the machine. It then encrypts the victim’s files using a TargetFileKey. According to Fortinet’s researchers, this encryption resource is fairly unique:
“A remarkable thing we observed when reverse-engineering the encryption/decryption algorithm is that the TargetFileKey is permuted with a random generated number. In other words, the encrypted files can no longer be decrypted once the malware has terminated – the TargetFileKey will be freed from program’s memory and hence it becomes more challenging to create a decryptor or recovery tool to restore the encrypted files. Moreover, it doesn’t have any function to communicate with any C&C server for the TargetFileKey meaning there is no readily available copy of the key to decrypt the files. However, it is still technically possible to recover the TargetFileKey. One of the known techniques is to use a brute-force attack. It should not take very long for a modern CPU to brute-force an 8-byte long key when the same key is used to encrypt known files with predictable file’s contents.”
Once the encryption routine has completed, this ransomware demands 0.25 Bitcoins (approximately US $700) from its victims. Its ransom message instructs users to send payment to a ProtonMail address.
It’s unclear how MacSpy and MacRansom are making their way onto unsuspecting users’ computers, but we can assume it’s through the usual distribution vectors of exploit kits and malspam campaigns. Under that assumption, users can protect themselves by exercising caution around suspicious links and attachments and by regularly updating their systems.
They should also back up their data on a regular basis.
For more discussion of this topic be sure to listen to this recent episode of the “Smashing Security” podcast: