Two malware-as-a-service portals, MaaS (a free malware-as-a-service platform), also known as MacSpy, together with the RaaS (ransomware-as-a-service program), also known as MacRanson, have been built deliberately to appeal to bad actors that don’t have sufficient technical expertise. The portals were discovered after a regular scan of the Dark Web.
Allien Vault states that to run MacSpy is as smooth as emailing the platform authors for a ZIP file. MacSpy launches once opened. Then the data, such as audio and music files, photos, clipboard, and browser information, are collected and exfiltrated by this malware. MacSpy can even take screenshots and log keystrokes. All of this data can be found on the Dark Web.
Peter Ewane reports that the malware stays hidden from the user. In order to do that, after the successful passing of the anti-analysis checks and setting persistence, it duplicates itself and associated files from the initial point of execution to ~/Library/.DS_Stores/ and cleans the initial files.
“The malware then checks the functionality of its tor proxy by utilizing the curl command to contact the command and control server. After connecting to the CnC, the malware sends the data it had collected earlier, such as system information, by sending POST requests through the TOR proxy. This process repeats again for the various data the malware has collected. After exfiltration of the data, the malware deletes the temporary files containing the data it sent,” said Peter Ewane, researcher at AlienVault.
Similarly, MacRansom is also located in the Dark Web portal hosted by TOR and can be sent by an email. MacRansom is capable of running at every start up and guarantees the encryption at the particular trigger time. After completing these tasks, the malware asks the infected computer users to pay ¼ Bitcoins.
According to Fortinet researchers, most of the Mac OS users assume that their Macs are safe from malware and ransomware attacks, and in most cases it’s usually true. Mac users are less likely to get infected by malware compared to Windows user. However, this is not impacted on the level of vulnerability in the operating system, but mostly caused by the reality that most of the PCs are run on Microsoft Windows (over 90%) and just about 6% are run on Apple Mac OS.