Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

6/12/2017
04:35 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

New Malware-as-a-Service Offerings Target Mac OS X

MacSpy and MacRansom are two early variants of malware-as-a-service portals targeting the broader population of Mac users.

Threat actors are setting their sights on Mac OS with MacSpy and MacRansom. The two malware-as-a-service (MaaS) offerings were created to take advantage of the growing Mac user base.

The concept of MaaS is not new; however, malware authors have historically targeted more popular Windows devices.

"The fact that this is a focused effort for just Mac OS makes it unique," says Peter Ewane, security researcher at AlienVault.

Researchers at AlienVault discovered MacSpy in May 2017 through an advertisement for the service. The free variant of the Mac RAT is primarily used to collect various pieces of user data, which can include browser history, screenshots, clipboard data, and other information.

Cybercriminals collect the data through clipboard data scraping, keylogging, voice recording, and browser data harvesting, Ewane explains. They trick their victims into executing the malware, or obtain physical access to the device, to get what they're looking for.

"The business impact can vary depending on what data is collected," Ewane explains. "For example, getting the username and password for an email account is a much smaller impact than the attacker potentially getting a private key for a web service."

There is also a paid version of MacSpy, which costs an unknown number of Bitcoins and comes with additional features including the abilities to retrieve any files and data on the Mac, encrypt the user directory in seconds, or disguise the program in any legitimate file format.

MacSpy is not widespread at this time and seems to be in a "beta" test mode. It is not known to exploit any vulnerabilities, says Eware. Victims can verify whether they have been infected by checking for a launch entry "/Library/LaunchAgents/com.apple.webkit.plis".

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

MacRansom is the only other known variant of MaaS targeting Mac devices. The ransomware-as-a-service (RaaS) offering was discovered by Fortinet researchers around the same time AlienVault found MacSpy.

Fortinet reports this could be the first known occurrence of RaaS targeting Mac OS. MacRansom shares web portal similarities with MacSpy and it's believed the two were developed by the same malware author.

The malware customers must directly contact the MacRansom author and can set a trigger time to launch their attack. When they do, the ransomware begins to lock files and can encrypt a maximum of 128.

After it encrypts targeted files, MacRansom encrypts both com.apple.finder.plist and the original executable. It changes the Time Date Stamp; this way, even if recovery tools are used to retrieve the files, they will be rendered unusable. The ransomware demands 0.25 Bitcoin (~$657 USD) and provides an email address for decryption.

"Even if it is far inferior from most current ransomware targeting Windows, it doesn't fail to encrypt victim's files or prevent access to important files, thereby causing real damage," say Fortinet's Rommel Joven and Wayne Chin Yick Low, who also express concern that copycats will generate additional variants of MacRansom.

The MacSpy authors, currently unknown, state they created this malware in response to Apple products gaining popularity in recent years, AlienVault reports. During their time in the field, the authors explain, they noticed a lack of "sophisticated malware for Mac users" and created MacSpy because they believed "people were in need of such programs on MacOS."

Higher rates of business adoption are likely part of the motivation. "One could say Mac OS adoption by [the] enterprise is making them a more interesting target to malware authors," adds Ewane. Security teams can protect their organizations with up-to-date antivirus and endpoint protection, he says, as well as user training.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
100%
0%
Christian Bryant,
User Rank: Ninja
6/13/2017 | 4:29:00 PM
Re: Not very impressed with the risk
Agreed.  No admin access to the user system is definitely the best way to go.  That's what we do here and I'd rather see an admin huff up to a user's desk and do a managed install than see a user able to install whatever they want :-)
SchemaCzar
100%
0%
SchemaCzar,
User Rank: Strategist
6/13/2017 | 4:12:00 PM
Re: Not very impressed with the risk
Hmmmm.  I see your point.  I've worked in some places, however, that completely block any software installation or execution by end users.
Christian Bryant
100%
0%
Christian Bryant,
User Rank: Ninja
6/13/2017 | 3:47:34 PM
Re: Not very impressed with the risk
I had the same initial response, but I do realize that a massive amount of the typical cybersecurity engineer's target flock (assuming you work in end user security) are folks who can be duped, who do put in the effort to install and run such apps, and then provide whatever is asked for.  Now, take that to the Enterprise security level and realize many of those end users are working in your environment, and now you have a serious headache for InfoSec techs.  We are taxed to tears by simple and inelegant intrusions like those created by malware and I think it is worthwhile to talk about them, as well as the more sophisticated and ultimately more damaging exploits. 
SchemaCzar
50%
50%
SchemaCzar,
User Rank: Strategist
6/13/2017 | 10:22:52 AM
Not very impressed with the risk
These exploits are all Trojan Horses.  The victim must be duped not just into launching the app, but to override the security settings.  They have other inexplicable weaknesses - they don't seem that serious.  I trust OSX security a lot, but there must be more serious attacks than this.  MacRansom is essentially a shell script, and the encryption key may not be recoverable.  What is the deal???
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7472
PUBLISHED: 2019-06-15
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
CVE-2019-12839
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVE-2019-12840
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
CVE-2019-12835
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.
CVE-2019-12830
PUBLISHED: 2019-06-15
In MyBB before 1.8.21, an attacker can exploit a parsing flaw in the Private Message / Post renderer that leads to [video] BBCode persistent XSS to take over any forum account, aka a nested video MyCode issue.