The Mac Security Blog

Malware

Did ChatGPT find Mac malware on the Dark Web? Report of HVNC macOS variant

Posted on by

The same research group that recently claimed to have unveiled ShadowVault has managed to find its way back into the news cycle.

Some Mac news publications have recently run headlines such as “ChatGPT uncovers Mac malware on the Dark Web.”  You might be tempted to believe it; after all, ChatGPT—and other AI bots—have constantly saturated headlines throughout 2023.

In reality, what actually occurred is significantly less sensational. The research group essentially asked ChatGPT, “Hey, do you think there’s more Mac malware out there?” And ChatGPT basically answered, “Yeah, probably.”  Then the researchers were like, “Okay, cool, we’ll go back to doing our jobs now, and try to find some.”

Yep, that’s the truth behind the headline.

But the (somewhat) more interesting story is what the researchers actually claim to have uncovered.

A macOS version of the HVNC hacking tool?

As seems to be their modus operandi, the research group again poked around on the “Dark Web” (i.e. cybercrime forums), trying to find evidence of novel Mac malware.

They claim to have found a forum post by a seemingly credible* threat actor going by the name of RastaFarEye. (*Well, as much as criminals on cybercrime forums can be considered “credible.”)  The threat actor alleges that for a “Lifetime Price” starting at $60,000, he’ll grant buyers access to a “macOS Secure-Websocket HVNC.”

In short, he claims to be selling a backdoor or remote access Trojan (RAT). VNC stands for Virtual Network Computing; it’s a technology that has been around since the late 1990s, and is still built into macOS today. It enables an authorized party to remotely control another computer. HVNC is a malicious variant of VNC; the H stands for hidden, meaning it’s designed to run entirely in the background, without the victim’s knowledge or consent.

The alleged Mac HVNC variant can supposedly do other things, like grant a malicious party remote access to files. It can also supposedly gain persistence; this means it can install itself in such a way that it automatically opens in the background whenever the Mac restarts. This is all pretty standard fare for backdoor malware.

And that’s pretty much all there is to say about “the macOS HVNC Tool” at this point. The research group wasn’t about to pay tens of thousands of dollars to a cybercriminal. Thus, they did not provide any screenshots, samples, or anything else that can actually confirm that such a tool actually exists.

Intego has attempted to find Mac variants of HVNC, but has so far not found any confirmed samples.

How can one remove or prevent Mac malware like HVNC?

So far, no one has definitely confirmed any samples as being a Mac version of HVNC. No one has confirmed any sales of the alleged new Mac malware, either. However, Intego already detects the Windows version of HVNC; we also frequently add detection for newly discovered Mac backdoors, RATs, and other spy tools and malware.

Intego X9 software boxesIntego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, can protect against, detect, and eliminate Mac malware, including backdoor spyware similar to HVNC.

If you believe your Mac may be infected—or to prevent future infections—use trusted antivirus software. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It’s compatible with a variety of Mac hardware and OS versions, including the latest Apple silicon Macs running macOS Ventura.

Additionally, if you use a Windows PC, Intego Antivirus for Windows can keep your computer protected from HVNC and other PC malware. Intego detects Windows variants of HVNC under names such as trojan/TR/AD.Hvnc.hcsz.

VirusBarrier X6, X7, and X8 on older Mac OS X versions also provide protection. Note, however, that it is best to upgrade to the latest versions of macOS and VirusBarrier; this will help ensure your Mac gets all the latest security updates from Apple.

How can I learn more?

For a few additional details about how the researchers assessed the “credibility” of the threat actor, you can read the original write-up by Guardz.

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which has often been featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →