Mac users are in the crosshairs of two malware-for-hire services.
A free malware-as-a-service (MaaS) platform known as MacSpy and a ransomware-as-a-service (RaaS) program dubbed MacRansom have both been purpose-built to appeal to bad actors lacking in technical expertise.
According to Alien Vault, running MacSpy is as simple as emailing its authors for a ZIP file. Once unpacked, the service launches. It collects and exfiltrates data, including photos, audio files, clipboard content and browser information, and it can take screenshots and log keystrokes. All of the information can be viewed via a web portal hosted on TOR.
"Upon execution, successfully passing the anti-analysis checks and setting persistence, the malware then copies itself and associated files from the original point of execution to ~/Library/.DS_Stores/ and deletes the original files in an attempt to stay hidden from the user AlienVault researcher Peter Ewane explained. “The malware then checks the functionality of its tor proxy by utilizing the curl command to contact the command and control server. After connecting to the CnC, the malware sends the data it had collected earlier, such as system information, by sending POST requests through the TOR proxy. This process repeats again for the various data the malware has collected. After exfiltration of the data, the malware deletes the temporary files containing the data it sent."
MacRansom also uses a web portal hosted in a TOR network and can be acquired by sending its authors an email, according to Fortinet. Once deployed, it creates a launch point that allows MacRansom to run at every start up and ensure that it encrypts on a specified trigger time. Once triggered and the encryption routine has completed, victims are asked for 0.25 Bitcoins (about $700).
“Many Mac OS users might assume that their computer is exempt from things like ransomware attacks and think that their system is somehow essentially ‘secure,’” said Fortinet researchers. “It is true that it’s less likely for a Mac OS user to be attacked or infected by malware than a Windows user, but this has nothing to do with the level of vulnerability in the operating system. It is largely caused by the fact that over 90% of personal computers run on Microsoft Windows and only around 6% on Apple Mac OS.”