Guardz Identifies New macOS hVNC Malware, Revealing Emerging Trend of macOS Attack-as-a-Service Tools
August 2023 by Guardz
Guardz disclosed the existence of a Hidden Virtual Network Computing (hVNC) malware targeting macOS devices. The malware, which is available on the major Russian dark web forum Exploit, allows cybercriminals to gain and maintain persistent unauthorized access to a victim’s Mac computer without being detected, and demonstrates the concerning emergence of a growing number of macOS-focused Attack-as-a-Service tools.
While cybercriminals have predominantly designed malware to target Microsoft Windows devices at scale, they are now increasingly developing tools for macOS. This shift directly affects small and medium-sized enterprises (SMEs), among whom macOS devices are widely utilized. Recently, Guardz identified an information stealing malware called ’ShadowVault,’ which also exclusively targets macOS devices. This discovery, as well as the growing talk of macOS tools within underground cybercrime forums, suggests an imminent surge in cyberattacks against macOS users. SMEs, who once considered macOS as the safer option, should exercise caution and prepare themselves for the impacts of this changing threat landscape.
Traditional Virtual Network Computing (VNC) software allows users to remotely control another computer over a network with permission and is often used for remote technical support. hVNC is a nefarious variation of this technology, typically distributed through attack vectors such as email attachments, malicious websites, or exploit kits. The macOS hVNC identified by Guardz has been available since April 2023, with updates made as recently as July 13, 2023, and was tested on a wide array of macOS versions from 10 through 13.2. It is being sold at a lifetime price of $60K with additional capabilities available for an added fee, on offer from an active Exploit forum member called RastaFarEye. The forum member holds a significant track record of malicious activity, having already developed a Windows OS hVNC variant, among other attack tools.
The macOS malware operates covertly, gaining access without requesting permission from the user and deliberately concealing its presence to evade detection by SMEs. Its persistence mechanisms ensure its continued activity even after system reboots or attempts at removal. It is mainly utilized to perpetrate data theft, with a focus on extracting sensitive information from employees’ computers, including login credentials, personal data, financial information, and more. This combination of stealth, persistence, data theft, and remote control makes the malware a very potent tool in the hands of malicious actors.
"SMEs must remain vigilant and work with their trusted MSP partners to obtain complete protection against the growing threats targeting the macOS systems that were previously assumed to be more secure," said Dor Eisner, CEO and Co-Founder of Guardz. "As with all Attack-as-a-Service tools, protecting against this new stealth malware requires robust and active cybersecurity measures, as well as ongoing user education about the risks of suspicious email attachments and files from untrustworthy sources, in particular. We look forward to continuing to shed light on emerging threats to help more companies and MSP partners ensure that their business and employees remain secure."
The revelation by Guardz follows the company’s disclosure of the ShadowVault malware in July 2023, when the Guardz research team announced the existence of the new information stealer, available for rent on the dark web’s popular XSS forum. The malware is capable of stealing sensitive data from macOS-based devices, posing a significant threat to businesses and individuals alike.