Security researchers have finally got their hands on samples of two new strains of Mac malware that have been offered through Malware-as-a-Service (MaaS) portals on the Dark Web for almost two weeks now.
Both portals were launched on May 25 and were discovered by your reporter during a routine scan of the Dark Web. The first site is named MacSpy and peddles Mac spyware, while the second is named MacRansom, and is renting ransomware in a classic RaaS scheme.
Dark Web portal peddling some sort of (new?) Mac malware pic.twitter.com/02obWvG4mg— Catalin Cimpanu (@campuscodi) May 25, 2017
My bad. It's a different site with the same template. Demo videos show 2 different tools— Catalin Cimpanu (@campuscodi) May 25, 2017
The pair is the work of the same malware developer, and the websites are almost identical if you're not paying close attention.
Both websites are run in a "closed" manner, meaning crooks have to contact the malware author to receive demo packages and negotiate going rates.
While Bleeping tried numerous times from numerous emails, it was our friends from Fortinet and AlienVault that got their hands on fully-working samples of MacRansom and MacSpy, respectively.
Both companies have published research breaking down the two malware strains they received, and both reached the same conclusion, which is that MacRansom and MacSpy are the work of an inexperienced coder, who despite creating two MaaS portals, has not focused enough on improving the quality of his code.
Below are some issues spotted by researchers:
Overall, MacSpy seems to be a better-coded tool, but Mac users should be scared more of MacRansom as the ransomware has the potential to permanently wreck user files if ever deployed in live campaigns.
Currently, none of these two appear to be part of any active distribution campaigns, most likely due to the grueling process, someone has to go through to get their hands on one of the payloads.
Security reporter Ruben Dodge, who also took a look at Fortinet's MacRansom report, also shares the company's opinion.
"Personally from what I see [...] it doesn't look that complex," Dodge told Bleeping Computer on Twitter. "Its got very basic checks for virtual machines."
"It may not take off," the researcher said about the MacRansom RaaS becoming popular. "However, I do believe its only a matter of time [until another RaaS does]. There is a market for it. Mac consumer use is growing."
"There's an ideological shift for Mac and iPhone as being seen as the more friendly OS for older people. [...] It is a market that will be targeted. There are too many less technical people using it not to make it a 'ripe' target for threat actors," Dodge added.
And the researcher is right. In the past year, we've seen Mac malware, and especially Mac ransomware growing from a simple demo (Mabouia) to an active threat (KeRanger and Patcher). There's also this malware author working on a brand new cross-OS ransomware, which he said he plans to offer through a RaaS portal hosted on the Dark Web over the summer.
Someone is creating a cross-platform ransomware and uploading demo videos on YouTube. Naughty boy!!! pic.twitter.com/xGIAGFiaB0— Catalin Cimpanu (@campuscodi) May 23, 2017
Hacker working on cross-OS ransomware posts video of Windows version. Mac version demoed a while back. pic.twitter.com/KqbNdNM38K— Catalin Cimpanu (@campuscodi) June 7, 2017
The number of Macs has grown, and so has the number of Mac-targeting malware. The launch of MaaS portals, even if hard to use and engage with as MacSpy and MacRansom, will drive more crooks towards the Mac userbase, and will lower the entry bar for some individuals and groups that had no previous experience with creating Mac malware.
A possible tool that might help users protect against Mac ransomware is called RansomWhere.