FacebookTwitterLinkedIn

MacRansom and MacSpy Emerge to Scare Mac Users

Karolis Liucveikis Written by on

While recent ransomware and malware attacks that have made headlines recently have left many Mac users with a false sense of security. While many Mac users have been boasting about their OS of choice and how they believe their OS invulnerable to attack. The recent emergence of MacRansom, ransomware targeting Mac OS, and MacSpy, spyware also targeting Mac OS, should give the Mac user pause for thought.

While many Mac users believe that their system of choice is superior in terms of security when compared to the Microsoft counterpart. The reality is that due to Windows having over 90% of the market share with regards to operating systems, it is often not worth cyber criminal’s time to create malware targeting Mac OS as more damage can be caused by targeting Windows systems in a sustained or brief campaign.

macransom and macspy ransomware/spyware for Mac computers

MacRansom

Appearing to be launched on the Dark Web on 25 May 2017 as Ransomware as a Service (RaaS), intended to rent ransomware as had been seen in previous RaaS schemes now appearing to be the classic mode employed by cyber-criminals. It was initially researchers at Fortinet who managed to acquire fully working samples of the ransomware. This was made difficult as the portal advertising the malware requires potential clients to contact the author directly in order to find out the costs involved and the ransomware needing to be built. Initially, the researchers thought that this was a scam but were contacted by the authors in return.

As per communications received from the author and the portal, the ransomware was advertised to be completely invisible, 128-bit encryption which is unbreakable, no digital trace, and can be deployed and complete encryption in under a minute. The researchers on their initial analysis once the ransomware has begun to run a prompt will display on the screen that you are about to run a program from an unidentified developer. If the user then clicks “Open” the ransomware will run, if they do not click “Open” the ransomware will not run and no files will be encrypted.

Once the program begins to run it will initially check to see if it is been run on a non-Mac environment or if it is been debugged. If so, it will terminate. Once those conditions are met it will check the machine model then compares that to the “Mac” string. Lastly, it will check to see if the computer has two CPUs. Once it passes this initial checks the ransomware will create a launch point which ensures that encryption will begin on the trigger date, a specific date agreed upon by the author and the person requesting the RaaS. The ransomware will terminate if it is triggered before the specified trigger date.

The ransomware can only encrypt 128 files and like other crypto-lockers, it uses a symmetric encryption with a hard-coded key to hijack the victim’s files. It employs a ReadmeKey: 0x3127DE5F0F9BA796 and a TargetFileKey: 0x39A622DDB50B49E9. Researchers are unconvinced as to the ransomware’s ability to decrypt files once the malware is terminated.

On the ransom note, victims are instructed the following email address, getwindows@protonmail.com, and a ransom demand of 0.25 (roughly 700 USD) Bitcoin is demanded.

macransom darkweb

MacRansom advertised features:

  • Invisibility - Completely invisible to typical Mac users until scheduled execution time.
  • Deniability - Once installed, there will be no digital trace that can be associated with you. It can be configured to run at any time in the future.
  • Unbreakable Encryption - 128-bit industrial standard encryption algorithm leaves the target no option but to purchase our decryption software.
  • Speed - The target's entire home directory will be encrypted in under a minute.

MacSpy

Advertised on the Dark Web as the most sophisticated spyware targeting Mac OS users to date. It boasts numerous features including screenshot capturing every 30 seconds, keylogging, been able to iCloud sync, using less than 0.1% of the CPU processing power to remain invisible and record browsing data. Not only does it have the above-mentioned features it has a host of advanced features that if true would make spying agencies globally envious. Offered as a malware as a service (MaaS) like the ransomware discussed. Researchers at AlienVault managed to get access to the malware and deemed it not as sophisticated as other similar schemes with the files been sent to the researchers with a note and a .zip file containing the relevant executables.

The malware itself has several measures intended to hamper analysis and prevent debugging. It will also check the environment so as not to run on a virtual machine. Added to this MacSpy will also check that the number of CPUs is greater than 1, the number of logical cores is greater than 3, and the number of logical cores is twice the number of physical cores. Further, MacSpy also checks that there is at least 4 GB of memory on the host and that it is deploying on a Mac machine.

Once passed all these checks the malware will copy itself and delete the original of itself in an effort to remain hidden. It will then check the function of its Tor proxy to contact a control and command server in order to send data. After data has been sent the malware will delete the temporary files containing the data. The process will then begin again.

macspy darkweb

MacSpy advertised features:

  • Deniability - Once installed, there will be no digital trace that can be associated with you. All communications are secure and untraceable over Tor.
  • Invisibility - With less than 30MB memory usage and less than 0.1% average cpu usage on Apple's least powerful Macbook Air, it's completely undetectable by conventional Mac users.
  • Capture - Capture a screenshot every 30 seconds. With support for multiple monitors.
  • Voice - Record surrounding sounds continuously even after user turns off microphone.
  • Key Logging - Log every keystroke in a clear and intuitive output format.(Requires sudo password)
  • Pasteboard - Retrieve clipboard contents. This will help you get anything from complex passwords to server private keys.
  • iCloud syncing - Acquire photos on iPhone as soon as iCloud syncs them to the Mac.
  • Browser data - Learn browsing patterns by obtaining history and download data from Safari and Chrome.

Possible New Trend

While in the past Mac users felt fairly safe that they were protected from the vulnerabilities evident in other operating systems, as more people buy MAC products they will become targets for malware and ransomware. New studies have indicated an increase in varying malware specifically targeting Mac users. Although it appears that at least the ransomware mentioned above is possibly the work of copycats and not sophisticated in its use of attack vectors or code, it is still capable of encrypting files thus is still a threat. With questions surrounding the author’s ability to decrypt the files, it is advised, as usual not to pay the ransom. This is as ever a reminder to Windows and Mac users to backup files regularly.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog