Endpoint

6/12/2017
04:35 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

New Malware-as-a-Service Offerings Target Mac OS X

MacSpy and MacRansom are two early variants of malware-as-a-service portals targeting the broader population of Mac users.

Threat actors are setting their sights on Mac OS with MacSpy and MacRansom. The two malware-as-a-service (MaaS) offerings were created to take advantage of the growing Mac user base.

The concept of MaaS is not new; however, malware authors have historically targeted more popular Windows devices.

"The fact that this is a focused effort for just Mac OS makes it unique," says Peter Ewane, security researcher at AlienVault.

Researchers at AlienVault discovered MacSpy in May 2017 through an advertisement for the service. The free variant of the Mac RAT is primarily used to collect various pieces of user data, which can include browser history, screenshots, clipboard data, and other information.

Cybercriminals collect the data through clipboard data scraping, keylogging, voice recording, and browser data harvesting, Ewane explains. They trick their victims into executing the malware, or obtain physical access to the device, to get what they're looking for.

"The business impact can vary depending on what data is collected," Ewane explains. "For example, getting the username and password for an email account is a much smaller impact than the attacker potentially getting a private key for a web service."

There is also a paid version of MacSpy, which costs an unknown number of Bitcoins and comes with additional features including the abilities to retrieve any files and data on the Mac, encrypt the user directory in seconds, or disguise the program in any legitimate file format.

MacSpy is not widespread at this time and seems to be in a "beta" test mode. It is not known to exploit any vulnerabilities, says Eware. Victims can verify whether they have been infected by checking for a launch entry "/Library/LaunchAgents/com.apple.webkit.plis".

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

MacRansom is the only other known variant of MaaS targeting Mac devices. The ransomware-as-a-service (RaaS) offering was discovered by Fortinet researchers around the same time AlienVault found MacSpy.

Fortinet reports this could be the first known occurrence of RaaS targeting Mac OS. MacRansom shares web portal similarities with MacSpy and it's believed the two were developed by the same malware author.

The malware customers must directly contact the MacRansom author and can set a trigger time to launch their attack. When they do, the ransomware begins to lock files and can encrypt a maximum of 128.

After it encrypts targeted files, MacRansom encrypts both com.apple.finder.plist and the original executable. It changes the Time Date Stamp; this way, even if recovery tools are used to retrieve the files, they will be rendered unusable. The ransomware demands 0.25 Bitcoin (~$657 USD) and provides an email address for decryption.

"Even if it is far inferior from most current ransomware targeting Windows, it doesn't fail to encrypt victim's files or prevent access to important files, thereby causing real damage," say Fortinet's Rommel Joven and Wayne Chin Yick Low, who also express concern that copycats will generate additional variants of MacRansom.

The MacSpy authors, currently unknown, state they created this malware in response to Apple products gaining popularity in recent years, AlienVault reports. During their time in the field, the authors explain, they noticed a lack of "sophisticated malware for Mac users" and created MacSpy because they believed "people were in need of such programs on MacOS."

Higher rates of business adoption are likely part of the motivation. "One could say Mac OS adoption by [the] enterprise is making them a more interesting target to malware authors," adds Ewane. Security teams can protect their organizations with up-to-date antivirus and endpoint protection, he says, as well as user training.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
No SOPA
100%
0%
No SOPA,
User Rank: Ninja
6/13/2017 | 4:29:00 PM
Re: Not very impressed with the risk
Agreed.  No admin access to the user system is definitely the best way to go.  That's what we do here and I'd rather see an admin huff up to a user's desk and do a managed install than see a user able to install whatever they want :-)
SchemaCzar
100%
0%
SchemaCzar,
User Rank: Strategist
6/13/2017 | 4:12:00 PM
Re: Not very impressed with the risk
Hmmmm.  I see your point.  I've worked in some places, however, that completely block any software installation or execution by end users.
No SOPA
100%
0%
No SOPA,
User Rank: Ninja
6/13/2017 | 3:47:34 PM
Re: Not very impressed with the risk
I had the same initial response, but I do realize that a massive amount of the typical cybersecurity engineer's target flock (assuming you work in end user security) are folks who can be duped, who do put in the effort to install and run such apps, and then provide whatever is asked for.  Now, take that to the Enterprise security level and realize many of those end users are working in your environment, and now you have a serious headache for InfoSec techs.  We are taxed to tears by simple and inelegant intrusions like those created by malware and I think it is worthwhile to talk about them, as well as the more sophisticated and ultimately more damaging exploits. 
SchemaCzar
50%
50%
SchemaCzar,
User Rank: Strategist
6/13/2017 | 10:22:52 AM
Not very impressed with the risk
These exploits are all Trojan Horses.  The victim must be duped not just into launching the app, but to override the security settings.  They have other inexplicable weaknesses - they don't seem that serious.  I trust OSX security a lot, but there must be more serious attacks than this.  MacRansom is essentially a shell script, and the encryption key may not be recoverable.  What is the deal???
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
Curtis Franklin Jr., Senior Editor at Dark Reading,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7629
PUBLISHED: 2019-02-18
Stack-based buffer overflow in the strip_vt102_codes function in TinTin++ 2.01.6 and WinTin++ 2.01.6 allows remote attackers to execute arbitrary code by sending a long message to the client.
CVE-2019-8919
PUBLISHED: 2019-02-18
The seadroid (aka Seafile Android Client) application through 2.2.13 for Android always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it easier to conduct chosen-plaintext attacks or dictionary attacks.
CVE-2019-8917
PUBLISHED: 2019-02-18
SolarWinds Orion NPM before 12.4 suffers from a SYSTEM remote code execution vulnerability in the OrionModuleEngine service. This service establishes a NetTcpBinding endpoint that allows remote, unauthenticated clients to connect and call publicly exposed methods. The InvokeActionMethod method may b...
CVE-2019-8908
PUBLISHED: 2019-02-18
An issue was discovered in WTCMS 1.0. It allows remote attackers to execute arbitrary PHP code by going to the "Setting -> Mailbox configuration -> Registration email template" screen, and uploading an image file, as demonstrated by a .php filename and the "Content-Type: image/g...
CVE-2019-8909
PUBLISHED: 2019-02-18
An issue was discovered in WTCMS 1.0. It allows remote attackers to cause a denial of service (resource consumption) via crafted dimensions for the verification code image.