Mac Malware Installs Ransomware, Spyware, Security Firms Say

While Windows remains by far the platform of choice to launch cyber-attacks,, companies keep coming across malware made for the Mac.


Mac users need to beware of two new malware-as-a-service threats found on dark web sites—one focused on spyware-as-a-service and the other focused on ransomware—which target the macOS platform with new criminal cyber-attacks, according to researchers at AlienVault and Fortinet, both which announced their analyses of the services on June 9.

The new Mac spyware, straight-forwardedly named MacSpy, uses Tor for communications, records keystrokes and audio, and can capture a screenshot every 30 seconds, according to AlienVault. Another service, found by network-security firm Fortinet and dubbed “MacRansom,” offers some of the same features, along with encrypting a victim’s files in a ransomware-as-a-service model.

The attacks suggest a trend in targeting Macs, Aamir Lakhani, senior cyber-security researcher and practitioner with Fortinet and FortiGuard Labs, said in a statement sent to eWEEK.

“Mac ransomware is definitely becoming bigger,” he said. “Although market share is still small, hackers know that there is valuable data on the Mac. This has led to development of more Mac hacking tools.”

Apple has long touted the relatively safety of its macOS platform, making the lack of viruses a central focus of a light-hearted series of commercials between 2009 and 2012. While Macs have been hit with occasional attacks—most notably in 2012 when the Flashback trojan infected some 600,000 computers—very few malware variants specifically target the platform.

For example, even with a more than seven-fold increase in Q4 2016—a jump due to adware being bundled with some software—Mac users only encountered about 350,000 new variants, about 1.5 percent of the 23 million new malware samples encountered by Windows users, according to data from Intel’s McAfee Security.

In addition, Mac malware tends to not be as mature as its Windows brethren. MacSpy demonstrates uneven technical sophistication, for example. While the malware's developers don't offer an automated signup service, they have enabled some anti-analysis features, such as measures designed to prevent researchers from starting up the software in a debugging environment, AlienVault researchers said.

“In addition to the anti-debugging countermeasures, MacSpy contains checks against the execution environment that can make it difficult to run in a virtual machine,” the company stated in its analysis.

MacRansom includes similar measures, as well as the ability to encrypt files. But keeps a critical code component in memory, which means that if a Mac is restarted after encryption, then the key is deleted and the data becomes nearly impossible to decrypt.

“Even if it is far inferior from most current ransomware targeting Windows, it doesn’t fail to encrypt victim’s files or prevent access to important files, thereby causing real damage,” Fortinet stated in its analysis.

While malware developers and cyber-criminals overwhelmingly target Microsoft’s Windows platform, both Fortinet and AlienVault argue that the two programs show that more attention is being paid to Macs.

It’s not a question of which platform is more secure, Eddie Lee, senior security researcher with AlienVault told eWEEK, pointing out that “Windows has a lot of notifications if you are trying to install unsigned applications,” just like Mac OS X.

“In terms of platform security, I would not say Apple is more secure than Microsoft,” he said. “The attackers just go after the larger user space.”

The two programs have some odd similarities. Screenshots of the feature descriptions of both services use the same layout and styling and uses the same wording for the “Deniability” feature. Both analyses show that the developers use the ProtonMail service.

When asked about the similarities, AlienVault researchers confirmed that they thought the same group was likely behind both MacSpy and MacRansom. “We believe they are the same authors,” Lee said. “Website and text were about the same.”

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...