{"id":7946,"date":"2017-06-14T08:10:30","date_gmt":"2017-06-14T16:10:30","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/06\/14\/news-1727\/"},"modified":"2017-06-14T08:10:30","modified_gmt":"2017-06-14T16:10:30","slug":"news-1727","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/06\/14\/news-1727\/","title":{"rendered":"New Mac Malware-as-a-Service offerings"},"content":{"rendered":"

Credit to Author: Thomas Reed| Date: Wed, 14 Jun 2017 15:00:01 +0000<\/strong><\/p>\n

A\u00a0couple weeks ago, two new Malware-as-a-Service (MaaS) offerings for the Mac became\u00a0available. These two offerings – a backdoor named MacSpy and a ransomware app named MacRansom – were discovered by Catalin Cimpanu<\/a> of Bleeping Computer on May 25.<\/p>\n

Cimpanu evidently had some trouble getting hold of samples, but on Friday\u00a0analysis of\u00a0MacRansom<\/a> was posted by Fortinet and analysis of MacSpy<\/a> was posted by AlienVault.<\/p>\n

Both of these malware programs were advertised through Tor websites, claiming them to be “The most sophisticated Mac spyware\/ransomware ever, for free.” Neither programs were directly available, but could only be obtained by emailing the authors at protonmail[dot]com email addresses.<\/p>\n

\"\"<\/a><\/p>\n

Behavior<\/h3>\n

Despite the claims of sophistication, these malware programs are not particularly advanced. The programs provided to both Fortinet and AlienSpy were simple command-line executable files that, when run, copy themselves into the user’s Library folder.<\/p>\n

MacSpy:<\/strong><\/p>\n

~\/Library\/.DS_Stores\/updated<\/pre>\n
MacRansom:<\/strong><\/p>\n
~\/Library\/.FS_Store<\/pre>\n
Because the .DS_Stores folder and the .FS_Store file both have names starting with a period, they are hidden from view\u00a0unless the user has done something to show invisible files.<\/p>\n
As part of the installation, these programs\u00a0also create LaunchAgent files for persistence – a not at all original method.<\/p>\n
MacSpy:<\/strong><\/p>\n
~\/Library\/LaunchAgents\/com.apple.webkit.plist<\/pre>\n
MacRansom:<\/strong><\/p>\n
~\/Library\/LaunchAgents\/com.apple.finder.plist<\/pre>\n
Some recent malware has had the capability to customize the install locations and names, but there’s no indication in the reports from Fortinet and AlienVault that such a feature is available in MacSpy or MacRansom, making these quite easy to detect.<\/p>\n
MacRansom is created with a custom “trigger date,” after\u00a0which time the malware detonates and encrypts the files in the user’s home folder, as well as on any connected volumes, such as external hard drives. As happened with KeRanger, which had a 3-day delay before encrypting, this delay will likely mean that few people who are using security software will actually be affected, as the malware will probably be detected before it encrypts anything.<\/p>\n
Further, the encryption uses a symmetric key – meaning that the same key is used both to encrypt and to decrypt – that is only 8 bytes in length, making it rather weak and relatively easy to decrypt. However, the key creation process involves a random number and the resulting key\u00a0is apparently not saved to the hard drive or communicated back to the authors in any way, making it impossible to decrypt the files except via brute force.<\/p>\n
After encryption, the malware will display a pop-up alert informing the user of what must be done to decrypt the files, and will continue to reappear even if the user clicks the “Destroy [sic] My Mac” button.\u00a0The malware does not save any copies of that information to files on the hard drive, as is typical of most ransomware.<\/p>\n
\"\"<\/a><\/p>\n
MacSpy is fairly simple spyware, which gathers data into temporary files and sends those files periodically back to a Tor command & control (C&C) server via unencrypted http. It will exfiltrate the following data:<\/p>\n