MacSpy – The Most Sophisticated Mac Spyware Ever
MacSpy is advertised as the ‘most sophisticated Mac spyware ever’ and it’s free.
The new Mac malware was created by the same developers that created MacRansom. They state they created this malware due to Apple products gaining popularity in recent years.
The free version of the MacSpy malware is designed to monitor Apple users, record data on the Mac system and then covertly spin it back to the controller who launched the attacks. MacSpy is can capture screen image and has an embedded keylogger. In addition, MacSpy can also capture ICloud synced data such as photos, provide voice recording surveillance, extract clipboard contents and download browser information.
There is a premium, advanced version of MacSpy available for purchase with an unknown amount of Bitcoin (BTC). The advanced version boasts extra functionality such as encrypting user directories, data retrieval and disguising the program as legitimate.
After researchers were able to obtain a copy, analysis has revealed that the original zip archive contains four files. One of these files is not digitally signed and is completely undetected by Anti Virus (AV) vendors. Further analysis of another file shows MacSpy communicates over the TOR network
MacSpy employs anti analysis features including the ability to determine whether or not it is being debugged. The malware is also virtual machine (VM) aware, it performs various checks to determine if the execution environment is live and won’t execute properly if in virtual environments.
Indicators of Compromise
Files:
~/Library/LaunchAgents/com.apple.webkit.plist
~/Library/LaunchAgents/com.apple.finder.plist
Directories:
~/Library/.DS_Stores/
~/Library/.FS_Store
Remediation
- Ensure AV and malware definitions are kept up to date
- Ensure all operating system updates are applied at the earliest opportunity
- Remain vigilant when opening email attachments and never open an attachment from an unknown sender
- Due to the nature of the malware, if an active infection is identified, the affected device should be completely reimaged and any credentials used on the host since initial infection should be changed.
- Monitor file changes for the above files and directories.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.