Malware för Mac bjuds ut på the Dark Web
Säkerhetsforskare har nu lyckats att komma över två exemplar av malware skrivna direkt för Apples macOS som bjudits ut på the Dark Web de senaste veckorna.
De destruktiva programmen har dykt upp på två nya webbplatser på den mer underjordiska delen av nätet.
Security researchers have finally got their hands on samples of two new strains of Mac malware that have been offered through Malware-as-a-Service (MaaS) portals on the Dark Web for almost two weeks now.
Both portals were launched on May 25 and were discovered by your reporter during a routine scan of the Dark Web. The first site is named MacSpy and peddles Mac spyware, while the second is named MacRansom, and is renting ransomware in a classic RaaS scheme.
Det handlar om två nya program, MacSpy och MacRansom
MacRansom ⟡ MacRansom author needs to approve each client, negotiate fees, and manually build each ransomware sample, defeating the purpose of running a RaaS in the first place. ⟡ Ransomware uses symmetric encryption, with the encryption keys included in the ransomware's source code. ⟡ One of these encryption keys is permutated with a random number and dropped from memory after the encryption ends. This means the ransomware loses one of the two encryption keys. ⟡ The ransomware doesn't communicate with a C&C server, meaning there's no way for the ransomware author to decrypt locked files. ⟡ Ransomware doesn't use a Tor-based payment panel but requires users to get in contact with the renter via email. ⟡ The ransomware file is not digitally signed, meaning it will trigger security alerts when executed on a standard macOS installation. [MacRansom report here]
MacSpy ⟡ MacSpy author appears to have copy-pasted code from Stack Overflow ⟡ Spyware payload is not digitally signed, meaning it will trigger security alerts when executed on a standard macOS installation. [MacSpy report here]
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.