MacSpy and MacRansom: New strains of malware for Mac OS

Security researchers at AlienVault have identified two new strains of Mac malware that have been offered through malware-as-a-service (MaaS) portals on the dark web over the past month. The services have been named MacSpy (which offers spyware) and MacRansom (which offers ransomware).

Malware for the Mac OS is relatively uncommon and, according to Bleeping Computer, both of these malware services are the work of the same developer. Bleeping Computer also reports that both services run in a “closed” manner, “meaning crooks have to contact the malware author to receive demo packages and negotiate going rates”.

What do the services do?

MacSpy’s authors, who are quoted in AlienVault’s blog, say they created the program because “people were in need of such programs on MacOS”. The authors claim the service offers:

  • No digital trace of the threat actor
  • Screen capture every 30 seconds
  • Key logging
  • iCloud syncing
  • Invisibility from the victim
  • Continuous voice recording
  • The ability to retrieve clipboard contents
  • The ability to obtain browser history

The malware also offers users the opportunity to upgrade to a premium version, which is available for an undisclosed sum (payable in bitcoins, of course). The premium version includes the ability to adjust the frequency with which users can capture and record information, a daily zip of all the files collected that day and the encryption of the entire user directory in a few seconds.

At around the same time that MacSpy was identified, researchers at Fortinet published details about MacRansom. According to its blog, the security firm’s researchers came across the ransomware in a TOR network, and “thought of it as a scam since there was no sample”. To verify this, the researchers emailed the authors of the malware. Their reply was similar to the message sent to AlienVault’s researchers – namely, they wanted to take advantage of the lack of existing malware targeting Mac OS.

MacRansom claims to offer:

  • No digital trace of the threat actor
  • Complete invisibility from the victim until the ransomware is executed
  • Unbreakable encryption
  • The encryption of the victim’s home directory in under a minute

Stay secure

Because malware designed for Mac OS is rare, its users may mistakenly think that the operating system is more secure than its competitors. Although it’s true that Mac users are less likely to be attacked or infected by malware than Windows users, the reason is not that it is any more secure, but because only around 6% of computers run on Mac OS. Cyber criminals instead focus their programs on Windows, which dominates the market, in order to target the greatest number of people.

However, as Mac OS becomes more popular, more malware is being designed for it. In addition to MacSpy and MacRansom, two major types of ransomware have been discovered in the past two years – first Tox and then Shark.

If you’re concerned about your organisation’s susceptibility to an infection – whether your computers run on Mac OS, Windows, or any other operating system – you should conduct regular penetration tests. Testing is an essential component of any cyber security strategy, and it is intended to find security weaknesses in your systems that could be exploited.

Find out more about our penetration testing services >>