Advertisement Banner
  • Home
  • News
  • Cyber News
  • Contact
No Result
View All Result
  • Home
  • News
  • Cyber News
  • Contact
No Result
View All Result
Wellnessnewshubb
No Result
View All Result
Home Cyber News

Microsoft details techniques of Mac ransomwareSecurity Affairs

admin by admin
January 6, 2023
in Cyber News


Microsoft warns of different ransomware families (KeRanger, FileCoder, MacRansom, and EvilQuest) targeting Apple macOS systems.

Microsoft Security Threat Intelligence team warns of four different ransomware families (KeRanger, FileCoder, MacRansom, and EvilQuest) that impact Apple macOS systems.

The initial vector in attacks involving Mac ransomware typically relies on user-assisted methods, such as downloading and running fake or weaponized applications. The ransomware can also be delivered as a second-stage payload dropper or part of a supply chain attack. 

The experts state that malware creators abuse legitimate functionalities and implement various techniques to exploit vulnerabilities, evade defenses, or trick users into infecting their devices.

One of the most important capabilities of ransomware is the capability of targeting specific files to encrypt. Microsoft researchers observed various techniques used by ransomware families to enumerate files and directories on Mac.

FileCoder and MacRansom use the Linux find utility to search for selected files to encrypt. 

The FileCoder ransomware, for example, searches the “/Users” and “/Volumes” directories by invoking the find command twice, using different paths to enumerate and excluding the README file while searching the “/Users” path.

The researchers reported that KeRanger and EvilQuest use a sequence of opendir(), readdir(), and closedir() library functions to get the list of files.

The KeRanger, MacRansom, and EvilQuest ransomware families utilize a combination of hardware- and software-based checks to avoid being executed in a virtual environment for analysis and debugging purposes.

Hardware-based checks include checking a device’s hardware model (MacRansom), checking the logical and physical processors of a device (MacRansom), checking the MAC OUI of the device (EvilQuest), and checking the device’s CPU count and memory size (EvilQuest).

Code-related checks include delayed execution (KeRanger), PT_DENY_ATTACH (PTRACE) for an anti-debugging trick that prevents debuggers from attaching to the current malware process (EvilQuest and MacRansom), P_TRACED flag to check whether malware is being debugged (EvilQuest), and time-based check (EvilQuest).

Persistence is maintained by creating launch agents or launch daemons or using kernel queues.

“The ransomware families we analyzed often share similar anti-analysis and persistence techniques. However, these same ransomware families differ in encryption logic. Some use AES-RSA encryptions, while others use system utilities, XOR routine, or custom encryption logic to encrypt files. These encryption methods range from in-place modification to creating a new file while deleting the original one.” reads the analysis published by Microsoft. “Common among the ransomware observed is adding a new extension or simply encrypting the file without adding any new one.”

While FileCoder uses the ZIP utility to encrypt files, KeRanger uses AES encryption in Cipher block chaining (CBC) mode to encrypt files. MacRansom employes a symmetric algorithm for encrypting files and decrypting its ransom note “._README_”. 

EvilQuest also uses a custom symmetric key encryption routine to encrypt victims’ files.

The researchers observed two EvilQuest variants using two mechanisms of keylogging (T1056.001), the API CGEventTapCreate and the IOHIDManagerCreate API.

EvilQuest uses a set APIs (NSCreateObjectFileImageFromMemory, NSLinkModule, NSLookupSymbolInModule, NSAddressOfSymbol) to implement in-memory execution-

“Ransomware continues to be one of the most significant threats affecting any platform. Our analysis of ransomware on Mac operating systems shows how its creators use various techniques to remain hidden from automated analysis systems or make manual inspection by analysts challenging.” Microsoft concludes. “Understanding ransomware routines and their effects on any device or platform is essential for individual users to take steps toward device and data protection.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Mac ransomware)



Share On







Source link

Previous Post

ED Files Second Chargesheet with 7 Firms’ Names

Next Post

The US cybersecurity imperative: fortifying critical infrastructure 

Next Post

The US cybersecurity imperative: fortifying critical infrastructure 

Recommended

MHA’s nod to change names of two places in Uttar Pradesh –

1 month ago

New Year, Same Mistake! Thousands gather in China to celebrate New Year –

1 month ago

© 2022 Law Enforcement News Hubb All rights reserved.

Use of these names, logos, and brands does not imply endorsement unless specified. By using this site, you agree to the Privacy Policy and Terms & Conditions.

Navigate Site

  • Home
  • News
  • Cyber News
  • Contact

Newsletter Sign Up.

No Result
View All Result
  • Home
  • News
  • Cyber News
  • Contact

© 2022 Law Enforcement News Hubb All rights reserved.