The keylogger saves data in ~/.keys folder, also as a binary plist in consecutively numbered log files, skey1.log, skey2.log and so on. ~/.rts records active app usage in a binary plist file called syslog: When all is functioning as intended, the rtcfg exec creates two invisible folders in the User’s home directory. This has a serious effect on the spyware’s capabilities, as we’ll see a little further on. This appears to be its only means of persistence across boot ups, although the relaunch binary – as might be expected from the name – helps persist the rtcfg executable during the same session if it is killed for some reason.Įxodus-MacOS-1.64.1-update and friends also add themselves to System Preferences’ Accessibility Privacy pane, though for versions of macOS 10.12 or later this is disabled by default. Upon successful installation, the malware uses AppleScript to add itself to the user’s Login Items. Likewise, each contains a second executable in the Resources folder called relaunch. All versions of the spyware have the same bundle identifier, system.rtcfg. The core binary in all cases is a Mach-O 64-bit executable with the name rtcfg. Based on the name, it would also appear to be targeting bitcoin users: This remains undetected on VirusTotal at the time of writing. The same binary appears on VirusTotal as Macbook.app in September 2017, and again as Taxviewer.app in May 2018.Ī slightly different version, picupdater.app, is created on Jand is first seen on VirusTotal the very next day.Įxodus-MacOS-1.64.1-update, the one seen in the email campaign, contains an updated version of the executable that was built on 31 October, 2018 and again first seen on VirusTotal the following day.Īll the above are detected by 21 of the engines on VirusTotal, but we also discovered another version of this build, called HitBTC-listing-offer.app. In fact, we found three different versions distributed in six fake apps since 2016:įirst seen on VirusTotal in March 2017 in launchPad.app, this version of the spyware appears to have been created around November 2016. This was not the first case of this trojan spyware. After installation, stealth is one of the key features the developers of RealTimeSpy promote. It’s worth noting that “Yes” is enabled by default, meaning that anyone put off by the lengthy text could reflexively hit the enter/return key before realising what they were doing.
Any success would reap high rewards given the spyware’s capabilities. That may have been due to a lack of technical skill, but we shouldn’t ignore the likelihood the authors were aware of this even as they planned their campaign. The attackers did not make any attempts to remove or hide these alerts, such as through binary editing or splash screens with transparent buttons. Given this, and that there’s at least two authorization requests that follow, we would expect a low infection rate. Verbose alerts are displayed when installing the spyware:
We’ll leave aside the ethics of covert surveillance in such situations, noting only that the developers do make repeated efforts to warn that their software shouldn’t be installed on any device not owned by the installer. RealTimeSpy is a commercial product which, according to the developer’s website, is aimed at employers and parents who want to monitor their computers. Spyware with Low Chance of Success, but High Rewards In this post, we look into this incident in more detail and examine the implications of this kind of spyware. The program is also able to capture social networking activities and website visits. It’s reasonable to assume the aim was to steal the contents of bitcoin wallets, but this macOS spyware can also steal other personal data through screenshots and keylogging.
Although there’s no suggestion the developers of RealTimeSpy were involved, there is no doubt that those behind the email campaign hoped to install a version of RealTimeSpy on victims’ computers.
The preliminary analysis indicated the scammers had repurposed a binary belonging to a commercial spyware app, RealTimeSpy.
According to their initial report, an email campaign pretending to offer an update for Exodus in fact tried to install spyware. In early November, F-Secure reported a targeted campaign aimed at installing a keylogger on devices belonging to users of Exodus cryptowallet.
Learn what to look out for and how to avoid similar spyware attacks. We investigate a macOS keylogger targeting Exodus cryptocurrency asset manager.