MacSpy

MacSpy is advertised as the 'most sophisticated Mac spyware ever' and it's free.

Threat ID:: CC-1471
Category:: Trojan, Spyware
Threat Severity:: Medium
Threat Vector:
Published:: 15 June 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

MacSpy is advertised as the 'most sophisticated Mac spyware ever' and it's free.

Threat details

The new Mac malware was created by the same developers that created MacRansom. They state they created this malware due to Apple products gaining popularity in recent years.

MacSpy standard features include key logging, screen captures, audio recording. There is a premium, advanced version of MacSpy available for purchase with an unknown amount of Bitcoin (BTC). The advanced version boasts extra functionality such as encrypting user directories, data retrieval and disguising the program as legitimate.

After researchers were able to obtain a copy, analysis has revealed that the original zip archive contains four files. One of these files is not digitally signed and is completely undetected by Anti Virus (AV) vendors. Further analysis of another file shows MacSpy communicates over the TOR network

MacSpy employs anti analysis features including the ability to determine whether or not it is being debugged. The malware is also virtual machine (VM) aware, it performs various checks to determine if the execution environment is live and won't execute properly if in virtual environments.

Remediation steps

Type	Step
	Ensure AV and malware definitions are kept up to date Ensure all operating system updates are applied at the earliest opportunity Remain vigilant when opening email attachments and never open an attachment from an unknown sender Due to the nature of the malware, if an active infection is identified, the affected device should be completely reimaged and any credentials used on the host since initial infection should be changed. Monitor file changes for the above files and directories.

Type

Step

Ensure AV and malware definitions are kept up to date
Ensure all operating system updates are applied at the earliest opportunity
Remain vigilant when opening email attachments and never open an attachment from an unknown sender
Due to the nature of the malware, if an active infection is identified, the affected device should be completely reimaged and any credentials used on the host since initial infection should be changed.
Monitor file changes for the above files and directories.

Last edited: 17 February 2020 11:34 am