- Portal is a series of first-person puzzle-platform video games developed by Valve.Set in the Half-Life universe, the two main games in the series, Portal (2007) and Portal 2 (2011), center on a woman, Chell, forced to undergo a series of tests within the Aperture Science Enrichment Center by a malicious artificial intelligence, GLaDOS, that controls the facility.
- The best way to detect MacSpy running on a Mac is to use a combination of Network IDS (NIDS) rules as it communicates. As it turns out, AlienVault provides this rule in its threat intelligence, which has already been updated with a rule called 'System Compromise, Malware RAT, MacSpy'.
For more than a decade, a debate has rumbled on: are Macs more secure and less prone to malware than Windows computers?
Step Five: Run you Mac OS Virtual Machine with VMDK or ISO file. Run Mac OS Mojave 10.14 on Windows PC using VMware. After successfully creating an Apple Mac OS Virtual Machine, you need to run the machine with an actual Mac OS file such as Mac OS Mojave 10.14 ISO file or Mac OS Mojave 10.14 VMDK Image. Watch this Video Tutorial. Explore the world of Mac. Check out MacBook Pro, MacBook Air, iMac, Mac mini, and more. Visit the Apple site to learn, buy, and get support.
As more malware targeting Macs entered the scene, Windows devotees used that to make the case that Apple's technology was no more secure than all the others. Mac fans have responded with endless examples of how Windows is targeted much more often.
In the past week, debate has been rekindled by a series of articles questioning Mac security:
- TechRadar reported that Proton – a RAT (remote access trojan) targeting macOS – was circulating in an underground Russian cybercrime forum.
- Forbes published an article about how macOS isn't as secure as its users think, based on a blog post from Thomas Reed, director of Mac offerings at Malwarebytes Labs.
- Macworld didn't directly address those articles in a piece it published Monday about Mac security, but it did acknowledge the threats are real.
In the big picture, which operating systems attract more malware is beside the point. Windows may be targeted more often, but if you're the Mac user who gets victimized by tainted code, the tally doesn't matter. For Mac users, the important thing is to raise awareness of the threats they face and explain what they can do about it.
Below is a look at the Mac malware SophosLabs has intercepted, analyzed and protected customers against, followed by recent issues Naked Security has written about. From there, we look at some tips to ensure better protection.
View from the lab
Mac malware has been studied at length by SophosLabs, and in a 2017 malware forecast released last month, it warned that more threats are coming, including several varieties of ransomware.
Xinran Wu, a senior threat researcher with SophosLabs who specializes in Mac malware, said MacOS tends to be more a victim of nuisance programs known as potentially unwanted applications (PUA) – adware, for example. From his vantage point, Mac malware tends to be more targeted than the drive-by downloads that have caused a lot of past damage across the operating system landscape. He explained: Creo 1 1 5.
Over the past few years, there have been limited numbers of malware families discovered each year. Most of them seem to be targeted rather than drive-by. Technically speaking, there are lots of things that are possible for malware. My guess is that the GateKeeper feature and payment required for getting Apple developer accounts to sign and distribute software, coupled with low market share, might have helped with the lack of drive-by malware for Mac platform.
Gatekeeper is a new feature in Mountain Lion and OS X Lion v10.7.5 that builds on OS X's existing malware checks to help protect Macs from malware and misbehaving apps downloaded from the internet.
Wu said the lab intercepts a lot of PUA families that are constantly being updated and 'aggressively pushed' at Sophos customers.
Recent threats
In addition to the malware mentioned in the SophosLabs malware forecast, Naked Security has covered a large number of Mac-based threats. For example:
- On February 28, we wrote about ransomware detected and blocked by Sophos as OSX/Filecode-K and OSX/Filecode-L, written in the Swift programming language.
- On January 24, we wrote about how Apple's macOS Sierra 10.12.3 security update addressed significant vulnerabilities attackers could use to hijack Mac and iPhone devices.
- On December 14, we wrote about another Mac security update to address vulnerabilities that, if exploited, allowed attackers to hit users with drive-by downloads.
Defensive measures
Lab Rat Cost
Now that we've mapped out the various threats, let's delve into some things users can do to protect themselves. First, some suggestions for dealing with ransomware:
- Read our advice on avoiding ransomware. Your best defense against any sort of malware is not to get infected in the first place.
- Listen to our podcast on dealing with ransomware. We explain what you need to know in plain English.
- Make regular backups and keep at least one copy offline. Ransomware is only one of many sudden ways to lose your precious data.
- Try our free Sophos Home product to protect your Mac. Anti-virus and web filtering is for everyone, not just for Windows.
Other tips:
- Consider using a real-time anti-virus on your Mac, even (or perhaps especially) if you have managed unharmed for years without one.
- When Apple releases a security update, don't put it off. Download it immediately.
MacSpy is advertised as the 'most sophisticated Mac spyware ever', with the low starting price of free. While the idea of malware-as-a-service (MaaS) isn't a new one with players such as Tox and Shark the game, it can be said that MacSpy is one of the first seen for the OS X platform.
The authors state that they created this malware due to Apple products gaining popularity in the recent years. They also state that during their tenure in the field that they have noticed a lack of 'sophisticated malware for Mac users' and they believe that 'people were in need of such programs on MacOS'. So they created MacSpy. The MacSpy authors claim to have the following features in the free version of their RAT:
4team mac os. If you are willing to pay an unknown amount of bitcoins for the advanced version, the malware authors advertise the following features:
MacSpy is not as polished as some of the malware-as-a-service providers out there, as there doesn't seem to be any customer facing automated service of signing up for their service. In order to receive a copy of MacSpy we had to email the author our preferred username and password, in order for them to make us an account. After confirming our details they created an account for us, and delivered a zipped file and the following instructions:
Initial Analysis
After unzipping the archive we observed it contained the following files:
The archive contains four files:
- Mach-O 64-bit executable called 'updated'
- Mach-O 64-bit executable called 'webkitproxy'
- Mach-O 64-bit dynamically linked shared library called 'libevent-2.0.5.dylib'
- Config file
How to play slot machines and win big. After examining webkitproxy and libevent-2.0.5.dylib, we noted they are signed by Tor, and thus we concluded that they are related to the function of Tor Onion routing. The contents of the config file further convince us of our suspicions are correct:
Config Contents
The 'updated' file, on the other hand is not digitally signed, and it is currently completely undetected by various AV companies on VirusTotal.
Anti-Analysis
- Consider using a real-time anti-virus on your Mac, even (or perhaps especially) if you have managed unharmed for years without one.
- When Apple releases a security update, don't put it off. Download it immediately.
MacSpy is advertised as the 'most sophisticated Mac spyware ever', with the low starting price of free. While the idea of malware-as-a-service (MaaS) isn't a new one with players such as Tox and Shark the game, it can be said that MacSpy is one of the first seen for the OS X platform.
The authors state that they created this malware due to Apple products gaining popularity in the recent years. They also state that during their tenure in the field that they have noticed a lack of 'sophisticated malware for Mac users' and they believe that 'people were in need of such programs on MacOS'. So they created MacSpy. The MacSpy authors claim to have the following features in the free version of their RAT:
4team mac os. If you are willing to pay an unknown amount of bitcoins for the advanced version, the malware authors advertise the following features:
MacSpy is not as polished as some of the malware-as-a-service providers out there, as there doesn't seem to be any customer facing automated service of signing up for their service. In order to receive a copy of MacSpy we had to email the author our preferred username and password, in order for them to make us an account. After confirming our details they created an account for us, and delivered a zipped file and the following instructions:
Initial Analysis
After unzipping the archive we observed it contained the following files:
The archive contains four files:
- Mach-O 64-bit executable called 'updated'
- Mach-O 64-bit executable called 'webkitproxy'
- Mach-O 64-bit dynamically linked shared library called 'libevent-2.0.5.dylib'
- Config file
How to play slot machines and win big. After examining webkitproxy and libevent-2.0.5.dylib, we noted they are signed by Tor, and thus we concluded that they are related to the function of Tor Onion routing. The contents of the config file further convince us of our suspicions are correct:
Config Contents
The 'updated' file, on the other hand is not digitally signed, and it is currently completely undetected by various AV companies on VirusTotal.
Anti-Analysis
MacSpy has several countermeasures that hamper analysis efforts. To prevent debugging, it calls ptrace() with the PT_DENY_ATTACH option. This is a common anti-debugger check and will prevent debuggers from attaching to the process.
If you bypass the ptrace countermeasure, MacSpy has additional code that checks if it is running in a debugger.
The code above is very similar to the debugger checking code from this Stack Overflow post.
In addition to the anti-debugging countermeasures, MacSpy contains checks against the execution environment that can make it difficult to run in a virtual machine. In the code below, you can see that MacSpy checks that the number of physical CPUs is greater than 1, the number of logical cores is greater than 3, and the number of logical cores is twice the number of physical cores. MacSpy also checks that there is at least 4 GB of memory on the host. Since malware sandboxes often run with minimal resources, these checks can prevent proper execution in virtual environments.
Similar to MacRansom, MacSpy also compares the machine model to 'Mac' using the 'sysctl' command. MacSpy will kill all Terminal windows which can be annoying to analysts using command line tools to analyze the malware (OSX/Dok exhibits similar behavior by killing Terminal windows).
Persistence
In order to persist on the system the malware creates a launch entry in ~/Library/LaunchAgents/com.apple.webkit.plist. This ensures that the malware will run at start up to continue collecting information.
Behavior Analysis:
Upon execution, successfully passing the anti-analysis checks and setting persistence, the malware then copies itself and associated files from the original point of execution to '~/Library/.DS_Stores/' and deletes the original files in an attempt to stay hidden from the user. Orc prom mac os. The malware then checks the functionality of its tor proxy by utilizing the curl command to contact the command and control server. After connecting to the CnC, the malware sends the data it had collected earlier, such as system information, by sending POST requests through the TOR proxy. This process repeats again for the various data the malware has collected. After exfiltration of the data, the malware deletes the temporary files containing the data it sent.
The following curl command used to exfiltrate data:
Contents of ~/Library/.DS_Stores/data/tmp/SystemInfo
User Web Portal
In our initial email to the malware authors we sent a set of credentials that we wanted to use in their web portal. After logging into the MacSpy web portal you are greeted with a very bare bones directory listing containing a folder labeled the most recent date of the malware executing on a system in the YYYYMM format, followed by a folder in the DD format. Diving into that folder you're treated with a series of directories similar to that of the directory naming on the victim system. Inside these folders is the data that was collected from the victim the malware was executed on.
Detection
NIDS
The best way to detect MacSpy running on a Mac is to use a combination of Network IDS (NIDS) rules as it communicates. As it turns out, AlienVault provides this rule in its threat intelligence, which has already been updated with a rule called 'System Compromise, Malware RAT, MacSpy'. This feeds into the USM correlation engine to generate an alarm that will notify AlienVault customers that one of their systems is compromised.
Osquery
Yara
Lab Rat Mac Os X
You can use the rule below in any system that supports Yara to detect this Mac-based malware.
Conclusion
Lab Rat Cosmos Perry
People generally assume when they are using Macs they are relatively safe from malware. This has been a generally true statement, but this belief is becoming less and less true by the day, as evidenced by the increasing diversity in mac malware along with this name family. While this piece of Mac malware may not be the most stealthy program, it is feature rich and it goes to show that as OS X continues to grow in market share and we can expect malware authors to invest greater amounts of time in producing malware for this platform.
If you want to find out more about this malware, here is a pulse we have in the AlienVault Open Threat Exchange (OTX):
Lab Rat Mac Os 11
Appendix:
Lab Rat Costume
Whiskers warzone mac os. 6c03e4a9bcb9afaedb7451a33c214ae4
c72de549a1e72cfff928e8d2591d7e97
cc07ab42070922b760b6bf9f894d0290
27056cabd185e939195d1aaa2aa1030f
f38977a34b1f6d8592fa17fafdb76c59
