MacSpy is a malware-as-a-service offered on the darkweb [1].

ID: S0282
Platforms: macOS
Version: 1.1
Created: 17 October 2018
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

MacSpy uses HTTP for command and control.[1]

Enterprise T1123 Audio Capture

MacSpy can record the sounds from microphones on a computer.[1]

Enterprise T1115 Clipboard Data

MacSpy can steal clipboard contents.[1]

Enterprise T1543 .001 Create or Modify System Process: Launch Agent

MacSpy persists via a Launch Agent.[1]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

MacSpy stores itself in ~/Library/.DS_Stores/ [2]

Enterprise T1070 .004 Indicator Removal: File Deletion

MacSpy deletes any temporary files it creates[2]

Enterprise T1056 .001 Input Capture: Keylogging

MacSpy captures keystrokes.[1]

Enterprise T1090 .003 Proxy: Multi-hop Proxy

MacSpy uses Tor for command and control.[1]

Enterprise T1113 Screen Capture

MacSpy can capture screenshots of the desktop over multiple monitors.[1]