Connect with us

Hi, what are you looking for?



MacSpy Malware Offered as Free Service

Just days after  MacRansom Ransomware-as-a-service (RaaS) was uncovered, the first malware-as-a-service (MaaS) targeting Mac users was discovered on an undground forum available for free, AlienVault reveals.

Just days after  MacRansom Ransomware-as-a-service (RaaS) was uncovered, the first malware-as-a-service (MaaS) targeting Mac users was discovered on an undground forum available for free, AlienVault reveals.

Dubbed MacSpy and claiming to be the “most sophisticated Mac spyware ever”, the threat was built out of a “need of such programs on MacOS,” the malware’s author claims. The developers advertise the malware as free and advanced, but don’t appear to have set a specific price for the latter.

The free variant includes support for anonymous communication over the TOR network, can capture screenshots, log keystrokes, record voice, retrieve clipboard content and browser data, and grab iCloud photos during the syncing process. Moreover, it is advertised as being completely untraceable courtesy of low memory and CPU usage, AlienVault discovered.

The paid variant supposedly also allows users to adjust capture and recording intervals remotely, and can retrieve any files and data from the Mac, encrypt the entire user directory within seconds, and disguise the malware as a legitimate file format. Further, it supports daily archive of collected files, access to emails and social network accounts, and benefits from updates and code signing.

The MaaS, however, doesn’t appear polished, as wannabe criminals can’t automatically sign up for the service, but need to email the author with the preferred username and password instead. After creating the account, the author sends a zipped file to the new user, along with unzipping instructions.

Users can apparently infect machines by placing MacSpy’s unzipped folder onto a USB drive and manually executing a 64-bit executable called ‘updated’ when needed. The executable isn’t signed and doesn’t seem to be detected by the various AV companies on VirusTotal.

In addition to the ‘updated’ file, the archive contains a 64-bit executable ‘webkitproxy’, a 64-bit dynamically linked shared library ‘libevent-2.0.5.dylib’, and a config file. Given that webkitproxy and libevent-2.0.5.dylib are signed by TOR, the researchers concluded they are related to the function of Tor Onion routing.

Advertisement. Scroll to continue reading.

The malware also includes anti-analysis capabilities, such as debugger and virtualization checks (CPU code count, amount of memory on the host). It also checks if it runs on a Mac, the same as MacRansom. For persistency, the threat creates a launch entry in ~/Library/LaunchAgents/, ensuring it runs at every start up.

After execution, the malware copies itself and associated files to “~/Library/.DS_Stores/” and deletes the original folder. Next, it uses the curl command to contact the command and control (C&C) server, and sends collected data to it using POST requests through the TOR proxy. It also deletes the temporary files it uses to collect data.

The web portal is a “very bare bones directory listing containing a folder labeled the most recent date of the malware executing on a system in the YYYYMM format, followed by a folder in the DD format.” The folder includes directories resembling the directory naming on the victim system and containing the data collected from the victim.

MacSpy, AlienVault notes, shows an increased focus on MacOS, which has been generally considered relatively safe from malware.

“While this piece of Mac malware may not be the stealthiest program, it is feature rich and it goes to show that as OS X continues to grow in market share, we can expect malware authors to invest greater amounts of time in producing malware for this platform,” the security researchers conclude.

Related: MacRansom RaaS Potentially Created by Copycats

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...