S0282 MacSpy
MacSpy is a malware-as-a-service offered on the darkweb 1.
| Item | Value |
|---|---|
| ID | S0282 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 17 October 2018 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | MacSpy uses HTTP for command and control.1 |
| enterprise | T1123 | Audio Capture | MacSpy can record the sounds from microphones on a computer.1 |
| enterprise | T1115 | Clipboard Data | MacSpy can steal clipboard contents.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.001 | Launch Agent | MacSpy persists via a Launch Agent.1 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | MacSpy stores itself in ~/Library/.DS_Stores/ 2 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | MacSpy deletes any temporary files it creates2 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | MacSpy captures keystrokes.1 |
| enterprise | T1090 | Proxy | - |
| enterprise | T1090.003 | Multi-hop Proxy | MacSpy uses Tor for command and control.1 |
| enterprise | T1113 | Screen Capture | MacSpy can capture screenshots of the desktop over multiple monitors.1 |