Two pieces of Mac malware – MacRansom and MacSpy – that seem to be created by the same developer are being offered for sale through two separate dark web portals.
The malware developer offers both through an as-a-Service model, and potential users are instructed to contact the developer directly through a Protonmail address in order to negotiate the terms, explain their needs, and get the malware.
AlienVault and Fortinet did just that, in order to get the samples and to analyze them.
MacSpy comes in two versions: a free basic one and an advanced one that costs an unknown amount of bitcoins.
Apparently, the basic RAT/spyware captures screenshots, logs keystrokes, records audio, steals photos, retrieves clipboard contents, steals browsing histories and download data, and communicates via Tor. The advanced version offers the retrieval of any files and data from the target computer, can encrypt the user directory, allows access to email and social networking accounts, and more.
The author says the ransomware uses “unbreakable encryption,” but doesn’t offer more details about it on the dark web portal.
Fortinet researchers have analyzed the sample they received directly from the developer, and have found that:
- The ransomware only encrypts a maximum of 128 files
- It uses a symmetric encryption with a hardcoded key
- There are two sets of symmetric keys used by the ransomware: a ReadmeKey and a TargetFileKey. The first one is used to decrypt a file with the ransom note and instructions, and the second one to encrypt and decrypt the files.
“A remarkable thing we observed when reverse-engineering the encryption/decryption algorithm is that the TargetFileKey is permuted with a random generated number. In other words, the encrypted files can no longer be decrypted once the malware has terminated – the TargetFileKey will be freed from program’s memory and hence it becomes more challenging to create a decryptor or recovery tool to restore the encrypted files,” Fortinet researchers noted.
“Moreover, it doesn’t have any function to communicate with any C&C server for the TargetFileKey meaning there is no readily available copy of the key to decrypt the files. However, it is still technically possible to recover the TargetFileKey. One of the known techniques is to use a brute-force attack. It should not take very long for a modern CPU to brute-force an 8-byte long key when the same key is used to encrypt known files with predictable file’s contents. Nevertheless, we are still skeptical of the author’s claim to be able to decrypt the hijacked files, even assuming that the victims sent the author an unknown random file.”
What the two threats have in common
The two threats seem to have been developed by the same author.
They are imbued with the same anti-analysis countermeasures (an identical anti-debugger check, additional code that that checks if it is running in a debugger, a check to see if it’s running in a virtual machine, a check to see whether it’s running on a Mac machine), and use the same tactic to create a launch point for the software, so that it’s run at every start up.
Both pieces of malware are not digitally signed, so if a target downloads the malware and runs it, the OS will show a warning saying that the program is by an unidentified developer, and that caution is advised.
The malware developer advises users to gain physical access to the target machine in order to surreptitiously install and run it.
This is not extremely sophisticated malware, but it works.
Users can protect themselves by:
- Limiting physical access to their Mac machines (require a password every time the machine is started or “woken up”)
- Not running software from unidentified, untrusted developers and sources
- Regularly backing up important files.
AlientVault researchers offered instructions on how to check whether your computer has been compromised with MacSpy.