Pierluigi Paganini
January 06, 2023
Microsoft Security Threat Intelligence team warns of four different ransomware families (KeRanger, FileCoder, MacRansom, and EvilQuest) that impact Apple macOS systems.
The initial vector in attacks involving Mac ransomware typically relies on user-assisted methods, such as downloading and running fake or weaponized applications. The ransomware can also be delivered as a second-stage payload dropper or part of a supply chain attack.
The experts state that malware creators abuse legitimate functionalities and implement various techniques to exploit vulnerabilities, evade defenses, or trick users into infecting their devices.
One of the most important capabilities of ransomware is the capability of targeting specific files to encrypt. Microsoft researchers observed various techniques used by ransomware families to enumerate files and directories on Mac.
FileCoder and MacRansom use the Linux find utility to search for selected files to encrypt.
The FileCoder ransomware, for example, searches the “/Users” and “/Volumes” directories by invoking the find command twice, using different paths to enumerate and excluding the README file while searching the “/Users” path.
The researchers reported that KeRanger and EvilQuest use a sequence of opendir(), readdir(), and closedir() library functions to get the list of files.
The KeRanger, MacRansom, and EvilQuest ransomware families utilize a combination of hardware- and software-based checks to avoid being executed in a virtual environment for analysis and debugging purposes.
Hardware-based checks include checking a device’s hardware model (MacRansom), checking the logical and physical processors of a device (MacRansom), checking the MAC OUI of the device (EvilQuest), and checking the device’s CPU count and memory size (EvilQuest).
Code-related checks include delayed execution (KeRanger), PT_DENY_ATTACH (PTRACE) for an anti-debugging trick that prevents debuggers from attaching to the current malware process (EvilQuest and MacRansom), P_TRACED flag to check whether malware is being debugged (EvilQuest), and time-based check (EvilQuest).
Persistence is maintained by creating launch agents or launch daemons or using kernel queues.
“The ransomware families we analyzed often share similar anti-analysis and persistence techniques. However, these same ransomware families differ in encryption logic. Some use AES-RSA encryptions, while others use system utilities, XOR routine, or custom encryption logic to encrypt files. These encryption methods range from in-place modification to creating a new file while deleting the original one.” reads the analysis published by Microsoft. “Common among the ransomware observed is adding a new extension or simply encrypting the file without adding any new one.”
While FileCoder uses the ZIP utility to encrypt files, KeRanger uses AES encryption in Cipher block chaining (CBC) mode to encrypt files. MacRansom employes a symmetric algorithm for encrypting files and decrypting its ransom note “._README_”.
EvilQuest also uses a custom symmetric key encryption routine to encrypt victims’ files.
The researchers observed two EvilQuest variants using two mechanisms of keylogging (T1056.001), the API CGEventTapCreate and the IOHIDManagerCreate API.
EvilQuest uses a set APIs (NSCreateObjectFileImageFromMemory, NSLinkModule, NSLookupSymbolInModule, NSAddressOfSymbol) to implement in-memory execution-
“Ransomware continues to be one of the most significant threats affecting any platform. Our analysis of ransomware on Mac operating systems shows how its creators use various techniques to remain hidden from automated analysis systems or make manual inspection by analysts challenging.” Microsoft concludes. “Understanding ransomware routines and their effects on any device or platform is essential for individual users to take steps toward device and data protection.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Mac ransomware)
[adrotate banner=”5″]
[adrotate banner=”13″]
