MacSpy is a remote access trojan (RAT) targeting OS X and the first known malware-as-a-service (MaaS) to target Mac users, available for free or as a paid, advanced version on a Dark Web forum. The author claims it is the "most sophisticated Mac spyware ever," created to address a market need for MacOS malware programs. The free version claims to have the ability to capture screenshots, log keystrokes, record voice, retrieve clipboard content, retrieve browsing data, obtain iCloud photos during the syncing process, and supports communications over the TOR network. The paid, advanced version claims to be able to allow users to adjust capture and recording intervals remotely, retrieve any files and data, encrypt the entire user directory, disguise the malware as a legitimate file, and access emails and social network accounts. It includes anti-analysis capabilities, including a debugger and virtualization checks, and creates a launch entry to ensure it loads every time the device is powered on. Customers who want to sign up for the service are required to email the author directly to obtain a zipped file. The customer can then infect machines by using a USB drive with the MacSpy unzipped folder loaded on it to manually execute its files. The executable, "update" is not signed and is not currently detected by various antivirus companies on VirusTotal.

Technical Details

  • AlienVault provides technical details on MacSpy, here.