Cybersecurity firm Guardz has found Russian hackers offering for sale a Hidden VNC tool specifically designed to give attackers full access to Macs. It follows a similar tool for accessing Windows PCs, and is geared to stealing personal data and logins.
The HVNC (Hidden Virtual Network Computer) is being sold on the dark web, and as a sign of good faith that the tool works as claimed, the hackers have deposited $100K in an escrow account …
Guardz says that the tool is being marketed to attackers who want to gain access to Macs used in small to medium businesses, in order to steal login credentials.
Guardz CIR team delved into the prominent Russian cybercrime forum “Exploit.” Our team discovered another tool available since April 2023, specifically targeting macOS devices owned by SMEs […]
For a lifetime price of $60,000, the threat actor will provide you with a malicious tool that supports persistence, runs without requesting any permission from the user, has a reverse shell plus remote file manager, and was tested on a wide array of macOS versions from 10 up to 13.2.
An HVNC is a variation on a standard VNC. Among other things, normal VNC apps are commonly used by IT teams when carrying out remote support for Macs and PCs. They allow the help desk person to take control of your machine, but you have to grant permission, and you can watch what they are doing.
An HVNC is far more dangerous, as it gives an attacker the same capabilities – using your Mac as if they were in the room with you – but without you needing to grant permission, and without you being able to see what they are doing. They effectively create a completely separate user session that is entirely invisible to you.
Guardz found that the HVNC tool is very sophisticated. It runs in stealth mode, meaning that most tools designed to protect Macs will not detect it, and is persistent, so can’t be stopped and removed by restarting your Mac.
The firm noted that the seller has placed $100,000 in escrow as a guarantee that the malware works as promised.
Not only does he have a “Seller” status, a type of achievement that requires approval by the underground forum administration, but RastaFarEye also made a good faith deposit of $100,000.
The $100,000 deposit (that equals 3.33 Bitcoin) helps the other cybercriminals to understand that the person behind this profile is a high-profile actor. This money is kept in the escrow account of the forum administration as a type of underground insurance in case the offered product is not as described in the original post.
How to protect yourself
Although the tool is being pitched at those wanting to gain access to Macs used in businesses, it would be equally effective against personally owned Macs.
One key to protecting yourself from this type of threat is to keep your Mac updated to the latest macOS version available for your machine. This malware only works on Macs up to and including macOS Ventura 13.2, for example, while the current version is 13.4.1.
Otherwise, standard cybersecurity hygiene measures are the key. Never install apps from outside the Mac App Store unless you know the developer is trustworthy. Never open unexpected attachments, even if they appear to come from a known contact. Never click on links in emails unless you are certain they are safe; it’s always preferable to access sites from your own bookmarks, or by typing in the URL.
FTC: We use income earning auto affiliate links. More.