Threat actors are setting their sights on Mac OS with MacSpy and MacRansom. The two malware-as-a-service (MaaS) offerings were created to take advantage of the growing Mac user base.
The concept of MaaS is not new; however, malware authors have historically targeted more popular Windows devices.
"The fact that this is a focused effort for just Mac OS makes it unique," says Peter Ewane, security researcher at AlienVault.
Researchers at AlienVault discovered MacSpy in May 2017 through an advertisement for the service. The free variant of the Mac RAT is primarily used to collect various pieces of user data, which can include browser history, screenshots, clipboard data, and other information.
Cybercriminals collect the data through clipboard data scraping, keylogging, voice recording, and browser data harvesting, Ewane explains. They trick their victims into executing the malware, or obtain physical access to the device, to get what they're looking for.
"The business impact can vary depending on what data is collected," Ewane explains. "For example, getting the username and password for an email account is a much smaller impact than the attacker potentially getting a private key for a web service."
There is also a paid version of MacSpy, which costs an unknown number of Bitcoins and comes with additional features including the abilities to retrieve any files and data on the Mac, encrypt the user directory in seconds, or disguise the program in any legitimate file format.
MacSpy is not widespread at this time and seems to be in a "beta" test mode. It is not known to exploit any vulnerabilities, says Eware. Victims can verify whether they have been infected by checking for a launch entry "/Library/LaunchAgents/com.apple.webkit.plis".
MacRansom is the only other known variant of MaaS targeting Mac devices. The ransomware-as-a-service (RaaS) offering was discovered by Fortinet researchers around the same time AlienVault found MacSpy.
Fortinet reports this could be the first known occurrence of RaaS targeting Mac OS. MacRansom shares web portal similarities with MacSpy and it's believed the two were developed by the same malware author.
The malware customers must directly contact the MacRansom author and can set a trigger time to launch their attack. When they do, the ransomware begins to lock files and can encrypt a maximum of 128.
After it encrypts targeted files, MacRansom encrypts both com.apple.finder.plist and the original executable. It changes the Time Date Stamp; this way, even if recovery tools are used to retrieve the files, they will be rendered unusable. The ransomware demands 0.25 Bitcoin (~$657 USD) and provides an email address for decryption.
"Even if it is far inferior from most current ransomware targeting Windows, it doesn't fail to encrypt victim's files or prevent access to important files, thereby causing real damage," say Fortinet's Rommel Joven and Wayne Chin Yick Low, who also express concern that copycats will generate additional variants of MacRansom.
The MacSpy authors, currently unknown, state they created this malware in response to Apple products gaining popularity in recent years, AlienVault reports. During their time in the field, the authors explain, they noticed a lack of "sophisticated malware for Mac users" and created MacSpy because they believed "people were in need of such programs on MacOS."
Higher rates of business adoption are likely part of the motivation. "One could say Mac OS adoption by [the] enterprise is making them a more interesting target to malware authors," adds Ewane. Security teams can protect their organizations with up-to-date antivirus and endpoint protection, he says, as well as user training.