Regarded as the most sophisticated Mac malware and ransomware so far. MacSpy and MacRansom are the start of a new strand of 'malware as a service' (MAAS) in which additional features can be bought by cyber-criminals. Both MacSpy and MacRansom have been available from the dark web since May25.
MacSpy can capture screenshots every 30 seconds, log every keystroke, access synced iPhone photos, record sounds continuously even without the microphone turned on, retrieve clipboard contents, and obtain history and download data from Safari and Chrome with out leaving digital fingerprints. Additional features including access to emails and social network accounts, retrieval of files, and encryption of the user directory can be bought by cyber criminals from the developer.
MacRansom can encrypt the home directory in under a minute (according to the supplier), can't be identified in place and also leaves no digital fingerprints. The developer claims the encryption uses an "unbreakable" 128-bit industrial standard encryption algorithm that will leave the victim "no option but to purchase our decryption software". Current decryption charge to be paid in bitcoin is equivalent of around AU$1000.
An additional problem for Mac users is some of the coding can also( apparently unintentionally) destroy users' files due to lack of access to being able to retrieve the decryption key.
AlienVault claim the best way to identify MacSpy is via intrusion detection software (IDS)
Currently, the lack of a digital fingerprint of MacSpy and MacRansom makes detection by anti-malware difficult
The picture so far is of a new supplier of sophisticated Mac malware services and software.
Viewed from this perspective, the current items for sale (MacSpy and MacRansom) are the initial demonstration of the potential capability of the developer(s) and malware suppliers.
The implication is that cyber-criminals will take advantage of this almost undetectable technology to build malware components for specific target groups of Mac users.
Take-Aways MacSpy and MacRansom
- There are two new and signficant items of Mac malware in the wild, MacSpy and MacRansom
- MacSpy and MacRansom demonstrate the ability to create and supply Mac malware as a service (MAAS)
- Both MacSpy and MacRansom are hard to detect
- The lack of a digital fingerprint of MacSpy and MacRansom makes detection by anti-malware problematic
- The usual care in opening unknown documents and files offers a basic protection
- The emergence of MacSpy and MacRansom marks a significant point in the evolution of the Mac malware environment