MacSpy is advertised as the 'most sophisticated Mac spyware ever”, with the low starting price of free. While the idea of malware-as-a-service (MaaS) isn’t a new one with players such as Tox and Shark the game, it can be said that MacSpy is one of the first seen for the OS X platform.

• Rat For Mac Os X 10.13
• Rat For Mac Os X 10.7
• Rat For Mac Os X 10.10

1. The BlackHole RAT trojan for Mac OS X. Like all trojans, BlackHole RAT tricks users into thinking it is a legit application. When launched, it installs its payload. Currently, the trojan places.
2. D-RATS includes the ability to send free-form text and fixed-form text as well as the ability to receive APRS/DPRS type position reports. DSTARUsers.org is the original D-STAR site. It provides the Last Heard list and also has a database of D-STAR repeaters. Mac OS X Leopard/Snow Leopard, or many flavors of Linux.
3. Recommended methods for Bella RAT removal: Solution for Mac OS X Devices. Bella RAT is capable of injecting harmful codes in your Mac OS X devices without your knowledge and starts corrupting major genuine functions or applications in very quick time. To avoid the detection of malicious activities related to this virus, attackers attempt to.

EvilOSX - An Evil RAT (Remote Administration Tool) For macOS/OS X Reviewed by Zion3R on 5:39 PM Rating: 5 Tags Backdoor X EvilOSX X Mac X MacOS X OS X X Passwords X Payload X Pentesting X Post Exploitation X Python X Python3 X RAT X Reverse Shell X Server.

The authors state that they created this malware due to Apple products gaining popularity in the recent years. They also state that during their tenure in the field that they have noticed a lack of 'sophisticated malware for Mac users' and they believe that 'people were in need of such programs on MacOS'. So they created MacSpy. The MacSpy authors claim to have the following features in the free version of their RAT:

If you are willing to pay an unknown amount of bitcoins for the advanced version, the malware authors advertise the following features:

MacSpy is not as polished as some of the malware-as-a-service providers out there, as there doesn’t seem to be any customer facing automated service of signing up for their service. In order to receive a copy of MacSpy we had to email the author our preferred username and password, in order for them to make us an account. After confirming our details they created an account for us, and delivered a zipped file and the following instructions:

Initial Analysis

After unzipping the archive we observed it contained the following files:

The archive contains four files:

• Mach-O 64-bit executable called 'updated'
• Mach-O 64-bit executable called 'webkitproxy'
• Mach-O 64-bit dynamically linked shared library called 'libevent-2.0.5.dylib'
• Config file

After examining webkitproxy and libevent-2.0.5.dylib, we noted they are signed by Tor, and thus we concluded that they are related to the function of Tor Onion routing. The contents of the config file further convince us of our suspicions are correct:

Config Contents

The 'updated' file, on the other hand is not digitally signed, and it is currently completely undetected by various AV companies on VirusTotal.

Anti-Analysis

MacSpy has several countermeasures that hamper analysis efforts. To prevent debugging, it calls ptrace() with the PT_DENY_ATTACH option. This is a common anti-debugger check and will prevent debuggers from attaching to the process.

If you bypass the ptrace countermeasure, MacSpy has additional code that checks if it is running in a debugger.

The code above is very similar to the debugger checking code from this Stack Overflow post.

In addition to the anti-debugging countermeasures, MacSpy contains checks against the execution environment that can make it difficult to run in a virtual machine. In the code below, you can see that MacSpy checks that the number of physical CPUs is greater than 1, the number of logical cores is greater than 3, and the number of logical cores is twice the number of physical cores. MacSpy also checks that there is at least 4 GB of memory on the host. Since malware sandboxes often run with minimal resources, these checks can prevent proper execution in virtual environments.

Similar to MacRansom, MacSpy also compares the machine model to 'Mac' using the 'sysctl' command. MacSpy will kill all Terminal windows which can be annoying to analysts using command line tools to analyze the malware (OSX/Dok exhibits similar behavior by killing Terminal windows).

Persistence

In order to persist on the system the malware creates a launch entry in ~/Library/LaunchAgents/com.apple.webkit.plist. This ensures that the malware will run at start up to continue collecting information.

Behavior Analysis:

Upon execution, successfully passing the anti-analysis checks and setting persistence, the malware then copies itself and associated files from the original point of execution to '~/Library/.DS_Stores/' and deletes the original files in an attempt to stay hidden from the user. The malware then checks the functionality of its tor proxy by utilizing the curl command to contact the command and control server. After connecting to the CnC, the malware sends the data it had collected earlier, such as system information, by sending POST requests through the TOR proxy. This process repeats again for the various data the malware has collected. After exfiltration of the data, the malware deletes the temporary files containing the data it sent.

The following curl command used to exfiltrate data:

Contents of ~/Library/.DS_Stores/data/tmp/SystemInfo

User Web Portal

In our initial email to the malware authors we sent a set of credentials that we wanted to use in their web portal. After logging into the MacSpy web portal you are greeted with a very bare bones directory listing containing a folder labeled the most recent date of the malware executing on a system in the YYYYMM format, followed by a folder in the DD format. Diving into that folder you're treated with a series of directories similar to that of the directory naming on the victim system. Inside these folders is the data that was collected from the victim the malware was executed on.

Detection

NIDS

The best way to detect MacSpy running on a Mac is to use a combination of Network IDS (NIDS) rules as it communicates. As it turns out, AlienVault provides this rule in its threat intelligence, which has already been updated with a rule called 'System Compromise, Malware RAT, MacSpy'. This feeds into the USM correlation engine to generate an alarm that will notify AlienVault customers that one of their systems is compromised.

Osquery

Yara

You can use the rule below in any system that supports Yara to detect this Mac-based malware.

Conclusion

People generally assume when they are using Macs they are relatively safe from malware. This has been a generally true statement, but this belief is becoming less and less true by the day, as evidenced by the increasing diversity in mac malware along with this name family. While this piece of Mac malware may not be the most stealthy program, it is feature rich and it goes to show that as OS X continues to grow in market share and we can expect malware authors to invest greater amounts of time in producing malware for this platform.

If you want to find out more about this malware, here is a pulse we have in the AlienVault Open Threat Exchange (OTX):

Appendix:

6c03e4a9bcb9afaedb7451a33c214ae4
c72de549a1e72cfff928e8d2591d7e97
cc07ab42070922b760b6bf9f894d0290
27056cabd185e939195d1aaa2aa1030f
f38977a34b1f6d8592fa17fafdb76c59

You really can't because anything like that would likely require or somehow gain access to your Admin password and likely install itself in the best possible location possible, in EFI as firmware program.

Rat For Mac Os X 10.13

EFI is a software firmware that loads before OS X or Windows loads and sits right between the hardware firmware and any operating system, can access the boot drive, record keystrokes and communicate over the Internet without you or the operating system even knowing about it.

EFI resides in it's own hidden partition on the boot drive and survives despite the operating system being reinstalled.

Far as I know there is nothing that can verify if the contents of EFI are legitimate or not, if you suspect you installed something from a untrustworthy source and noticing unusual network traffic despite having eliminated all other possibilities, you might be RATTED.

If you have another Mac, you can install KisMAC and enable the passive driver in preferences and watch the network traffic between your suspected Mac and the wifi router. RAT network activity should be rather high when your not doing jack squat with the suspected machine.

The only solution to this is a complete drive reformat or replacement from Internet Recovery, however if it's got in that deep it's likely to be tainted even Internet Recovery, as I believe that's hardware firmware based which is susceptible to unwanted change. You'll have to take your chances, but if your machine boots from the older Snow Leopard disks, then I would start from there and work back up to 10.8 agian that way.

Rat For Mac Os X 10.7

There is keyboard and battery firmware that also can be changed by malware, however supposedly it's so small that not much can be placed there and reinfect a cleaned system.

We only know about OS X malware if it makes enough copies it draws the attention of security researchers, limited targeted attacks on users is rather trivial task.

Rat For Mac Os X 10.10

Jun 29, 2013 8:45 AM