OSX Ransomware Spread via a Rogue BitTorrent Client Installer
More a tool, a platform or an environment is popular, more it will be targeted. Those who still think that they are safe with their OSX environment are wrong. Manuel wrote a diary two months ago about a ransomware written in JavaScript (and that could affect different environments). Yesterday, a native malware for OSX has been detected and analyzed by Palo Alto Networks. It is called "KeRanger" and is spread via a malicious installation package of Transmission, a popular BitTorrent client. The malicious file was available for download on the official Transmission website which suggests that it was maybe compromised.
Once installed, the ransomware will wait three days before activating itself. It communicates with its C2 via Tor. The ransom is 1BC (~$400). Note that the binary is signed with a legit developer certificate and that it also attempts to encrypt TimeMachine backups (which are very popular and used by most OSX users!).
The malicious file MD5 is 24a8f01cfdc4228b4fc9bb87fedf6eb7 and its current VT score is 0!
Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key
My next class:
Reverse-Engineering Malware: Malware Analysis Tools and Techniques | Amsterdam | Jan 20th - Jan 25th 2025 |
×
Diary Archives
Comments
Everyone knows APPS that are distributed via developers sites are far more susceptible to Library and code tampering. Not to mention various Ad trackers. This was never in the Mac APP store and APPLE revoked the certificate right away.
So pro-tip, set Gatekeeper to Mac APP Store, stay in the Apple ecosystem. Do not disable eco-system protections. Do not click these articles, let the click bait ecosystem die. Sans should support this, after all, are they for the public good?
Oh, never change a phone's setting when it is evidence... Remember it is evidence.
Anonymous
Mar 7th 2016
8 years ago
If a nice or juicy application is available via a developer's website, it's not easy to prevent users to get & run the installer.
Anonymous
Mar 7th 2016
8 years ago
While it's true this affords you additional protections I think you are way over confident in Apple's ability to detect malicious applications submitted to the Mac App store. The developers of this malware obviously were in a position to steal the developer's code signing certificate, so it's not difficult to reason they could have also stolen the developer's credentials and submitted an App store update. I'm sure Apple does some basic level of checking, but I'm also sure malware authors are equally as smart and can and will find a way to get malicious code approved. Even if App Store security was perfect, we know Gatekeeper is not and Gatekeeper bypasses exist. As researchers like Patrick Wardle have shown, OS X is ripe for the picking when it comes to malware and bad actors haven't even began to scratch the surface on what is possible. Combine that with the complete lack of any security or endpoint protection tools on OS X that actually do anything more than simple hash matching, we are living in the eye of an OS X malware storm. It's coming and Apple better step up their game.
Anonymous
Mar 7th 2016
8 years ago
Everyone knows APPS that are distributed via developers sites are far more susceptible to Library and code tampering. Not to mention various Ad trackers. This was never in the Mac APP store and APPLE revoked the certificate right away.
So pro-tip, set Gatekeeper to Mac APP Store, stay in the Apple ecosystem. Do not disable eco-system protections. Do not click these articles, let the click bait ecosystem die. Sans should support this, after all, are they for the public good?
Oh, never change a phone's setting when it is evidence... Remember it is evidence.[/quote]
And what is preventing a threat actor from stealing a code signing cert and login credentials for a legit app on the Mac App Store? User awareness is key in these situations. Also, control the environment. Know what you are installing and limit who can install apps. Sort of what we do for Windows environments.
Anonymous
Mar 7th 2016
8 years ago
Anonymous
Mar 8th 2016
8 years ago