Reporters for the online service “Bleeping Computer” have uncovered a new threat to Apple being offered on the dark web. Thru their efforts the researchers for AlienVault were able to obtain a copy of the new “MacSpy” program, described as the most sophisticated malware for Mac OS-x operating system to date.
The hackers offering MacSpy on the dark net are not selling it but in fact – giving it away at no cost. The software combines with a provided TOR portal to enable users to hack into and obtain surveillance information from targeted MAC computers.
The authors of the malware claim that they created it because Apple products have grown so popular. It is this popularity of Apple products that appears to have driven their desire to create the remote access Trojan (RAT) program. The free version of the MacSpy malware is designed to monitor Apple users, record data on the Mac system and then covertly spin it back to the controller who launched the attacks. MacSpy is can capture screen image and has an embedded keylogger. In addition, MacSpy can also capture ICloud synced data such as photos, provide voice recording surveillance, extract clipboard contents and download browser information.
Much like contemporary software providers; the MacSpy developers offers a “paid” version with enhanced features for customers. The paid version of MacSpy has many similar features seen inside programs developed by the CIA as shown in the Wikileaks Vault 7 releases. The remote controller can update the Trojan silently, extract any file, encrypt whole user directories, deliver scheduled dumps of an entire infected system, and extract social media and email data for surveillance.
According to the AlienVault, the MacSpy program is currently “completely undetected by various AV companies and products”. The program also includes a feature to disable the ability of users to analyze, debug and understand its operation. The anti-analysis designs include a series of hardware checks against the CPU chips to ensure the program is not being executed in a virtual mode or on a minimal “sand-box” system to be examined. It also calls the Apple “ptrace” function with the proper options to prevent debuggers from attaching to the process itself.
Once the system has passed the anti-analysis features it installs itself, deletes the installation files for stealth and links up to a TOR proxy in order to begin the process of data surveillance. MacSpy does attach itself to start up files so the system will re-establish a link to the TOR proxy at the beginning of each reboot.
MacSpy transmits the data it collects by sending a POST request through the TOR proxy, and then repeatedly sends POST commands for the selected data that the malware has stolen from the infected target system. Once it has completed its download the malware deletes the temporary files containing the data it sent.
There are some bright sides to the MacSpy story. The developers appear to have copied much of their code from the Stack Overflow website for programmers. In addition, the MacSpy payload is not digitally signed and may trigger an alert on properly configured Mac OS systems.
However, according to AlienVault, the MacSpy malware is a sign that there is a dark future for Apple users.
“People generally assume when they are using Macs they are relatively safe from malware,” notes AlienVault in its dissection of the MacSpy Trojan.
“This has been a generally true statement, but this belief is becoming less and less true by the day, as evidenced by the increasing diversity in mac malware along with this name family.”
About the author: Charles R. Smith is CEO of Softwar Inc. a US based information warfare company and a former national security journalist.
(Security Affairs – MacSpy Trojan, malware)