Two pieces of Mac malware hit the market as a Malware-as-a-Service product (MaaS), researchers said.
MacRansom and MacSpy, which researchers feel were created by the same developer, are for sale in two separate dark web portals.
The malware developer offers both through a MaaS model, and potential users should contact the developer directly through a Protonmail address in order to negotiate the terms, explain their needs, and get the malware.
Security research companies, AlienVault and Fortinet, purchased copies so they could analyze them.
MacRansomware uses “unbreakable encryption,” but doesn’t offer details about it on the dark web portal.
Fortinet researchers analyzed the sample they received directly from the developer, and have found:
• The ransomware only encrypts a maximum of 128 files
• It uses a symmetric encryption with a hardcoded key
• There are two sets of symmetric keys used by the ransomware: A ReadmeKey and a TargetFileKey. The first one is used to decrypt a file with the ransom note and instructions, and the second one to encrypt and decrypt the files.
“A remarkable thing we observed when reverse-engineering the encryption/decryption algorithm is that the TargetFileKey is permuted with a random generated number,” Fortinet researchers said in a blog post. “In other words, the encrypted files can no longer be decrypted once the malware has terminated – the TargetFileKey will be freed from program’s memory and hence it becomes more challenging to create a decryptor or recovery tool to restore the encrypted files,”
“Moreover, it doesn’t have any function to communicate with any C&C server for the TargetFileKey meaning there is no readily available copy of the key to decrypt the files,” the researchers said. “However, it is still technically possible to recover the TargetFileKey. One of the known techniques is to use a brute-force attack. It should not take very long for a modern CPU to brute-force an 8-byte long key when the same key is used to encrypt known files with predictable file’s contents. Nevertheless, we are still skeptical of the author’s claim to be able to decrypt the hijacked files, even assuming that the victims sent the author an unknown random file.”
The other malware is MacSpy, which comes in two versions: A free basic one and an advanced one that costs an unknown amount of bitcoin.
The basic RAT/spyware captures screenshots, logs keystrokes, records audio, steals photos, retrieves clipboard contents, steals browsing histories and download data, and communicates via Tor, said AlienVault researchers in a blog post.
The advanced version offers the retrieval of any files and data from the target computer, can encrypt the user directory, allows access to email and social networking accounts, and more.
The researchers said the two threats appear to have been developed by the same author.
They are imbued with the same anti-analysis countermeasures and use the same tactic to create a launch point for the software, so it’s run at every start up.
Both pieces of malware are not digitally signed, so if a target downloads the malware and runs it, the OS will show a warning saying the program is by an unidentified developer, and the user should move forward with caution.
The malware developer advises users to gain physical access to the target machine in order to surreptitiously install and run it.
This is not extremely sophisticated malware, but it works.
Users can protect themselves by:
• Limiting physical access to their Mac machines (require a password every time the machine is started or “woken up”)
• Not running software from unidentified, untrusted developers and sources
• Regularly backing up important files