Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

6/12/2017
04:35 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

New Malware-as-a-Service Offerings Target Mac OS X

MacSpy and MacRansom are two early variants of malware-as-a-service portals targeting the broader population of Mac users.

Threat actors are setting their sights on Mac OS with MacSpy and MacRansom. The two malware-as-a-service (MaaS) offerings were created to take advantage of the growing Mac user base.

The concept of MaaS is not new; however, malware authors have historically targeted more popular Windows devices.

"The fact that this is a focused effort for just Mac OS makes it unique," says Peter Ewane, security researcher at AlienVault.

Researchers at AlienVault discovered MacSpy in May 2017 through an advertisement for the service. The free variant of the Mac RAT is primarily used to collect various pieces of user data, which can include browser history, screenshots, clipboard data, and other information.

Cybercriminals collect the data through clipboard data scraping, keylogging, voice recording, and browser data harvesting, Ewane explains. They trick their victims into executing the malware, or obtain physical access to the device, to get what they're looking for.

"The business impact can vary depending on what data is collected," Ewane explains. "For example, getting the username and password for an email account is a much smaller impact than the attacker potentially getting a private key for a web service."

There is also a paid version of MacSpy, which costs an unknown number of Bitcoins and comes with additional features including the abilities to retrieve any files and data on the Mac, encrypt the user directory in seconds, or disguise the program in any legitimate file format.

MacSpy is not widespread at this time and seems to be in a "beta" test mode. It is not known to exploit any vulnerabilities, says Eware. Victims can verify whether they have been infected by checking for a launch entry "/Library/LaunchAgents/com.apple.webkit.plis".

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

MacRansom is the only other known variant of MaaS targeting Mac devices. The ransomware-as-a-service (RaaS) offering was discovered by Fortinet researchers around the same time AlienVault found MacSpy.

Fortinet reports this could be the first known occurrence of RaaS targeting Mac OS. MacRansom shares web portal similarities with MacSpy and it's believed the two were developed by the same malware author.

The malware customers must directly contact the MacRansom author and can set a trigger time to launch their attack. When they do, the ransomware begins to lock files and can encrypt a maximum of 128.

After it encrypts targeted files, MacRansom encrypts both com.apple.finder.plist and the original executable. It changes the Time Date Stamp; this way, even if recovery tools are used to retrieve the files, they will be rendered unusable. The ransomware demands 0.25 Bitcoin (~$657 USD) and provides an email address for decryption.

"Even if it is far inferior from most current ransomware targeting Windows, it doesn't fail to encrypt victim's files or prevent access to important files, thereby causing real damage," say Fortinet's Rommel Joven and Wayne Chin Yick Low, who also express concern that copycats will generate additional variants of MacRansom.

The MacSpy authors, currently unknown, state they created this malware in response to Apple products gaining popularity in recent years, AlienVault reports. During their time in the field, the authors explain, they noticed a lack of "sophisticated malware for Mac users" and created MacSpy because they believed "people were in need of such programs on MacOS."

Higher rates of business adoption are likely part of the motivation. "One could say Mac OS adoption by [the] enterprise is making them a more interesting target to malware authors," adds Ewane. Security teams can protect their organizations with up-to-date antivirus and endpoint protection, he says, as well as user training.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RetiredUser
100%
0%
RetiredUser,
User Rank: Ninja
6/13/2017 | 4:29:00 PM
Re: Not very impressed with the risk
Agreed.  No admin access to the user system is definitely the best way to go.  That's what we do here and I'd rather see an admin huff up to a user's desk and do a managed install than see a user able to install whatever they want :-)
SchemaCzar
100%
0%
SchemaCzar,
User Rank: Strategist
6/13/2017 | 4:12:00 PM
Re: Not very impressed with the risk
Hmmmm.  I see your point.  I've worked in some places, however, that completely block any software installation or execution by end users.
RetiredUser
100%
0%
RetiredUser,
User Rank: Ninja
6/13/2017 | 3:47:34 PM
Re: Not very impressed with the risk
I had the same initial response, but I do realize that a massive amount of the typical cybersecurity engineer's target flock (assuming you work in end user security) are folks who can be duped, who do put in the effort to install and run such apps, and then provide whatever is asked for.  Now, take that to the Enterprise security level and realize many of those end users are working in your environment, and now you have a serious headache for InfoSec techs.  We are taxed to tears by simple and inelegant intrusions like those created by malware and I think it is worthwhile to talk about them, as well as the more sophisticated and ultimately more damaging exploits. 
SchemaCzar
50%
50%
SchemaCzar,
User Rank: Strategist
6/13/2017 | 10:22:52 AM
Not very impressed with the risk
These exploits are all Trojan Horses.  The victim must be duped not just into launching the app, but to override the security settings.  They have other inexplicable weaknesses - they don't seem that serious.  I trust OSX security a lot, but there must be more serious attacks than this.  MacRansom is essentially a shell script, and the encryption key may not be recoverable.  What is the deal???
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12551
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, improper validation of arguments in the internal implementation of the Memcpy function (provided by the scripting engine) allows an attacker to overwrite arbitrary memory, which could lead to code execution.
CVE-2019-12552
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, an integer overflow during the initialization of variables could allow an attacker to cause a denial of service.
CVE-2019-3414
PUBLISHED: 2019-07-22
All versions up to V1.19.20.02 of ZTE OTCP product are impacted by XSS vulnerability. Due to XSS, when an attacker invokes the security management to obtain the resources of the specified operation code owned by a user, the malicious script code could be transmitted in the parameter. If the front en...
CVE-2019-10102
PUBLISHED: 2019-07-22
tcpdump.org tcpdump 4.9.2 is affected by: CWE-126: Buffer Over-read. The impact is: May expose Saved Frame Pointer, Return Address etc. on stack. The component is: line 234: "ND_PRINT((ndo, "%s", buf));", in function named "print_prefix", in "print-hncp.c". Th...
CVE-2019-10102
PUBLISHED: 2019-07-22
aubio 0.4.8 and earlier is affected by: null pointer. The impact is: crash. The component is: filterbank. The attack vector is: pass invalid arguments to new_aubio_filterbank. The fixed version is: after commit eda95c9c22b4f0b466ae94c4708765eaae6e709e.