Jan 06, 2023Ravie Lakshmanan
Microsoft has shed light on four different ransomware families –
KeRanger[1], FileCoder, MacRansom,
and EvilQuest – that are known to impact Apple macOS systems.
“While these malware families are old, they exemplify the range
of capabilities and malicious behavior possible on the platform,”
the tech giant’s Security Threat Intelligence team said[2]
in a Thursday report.
The initial vector for these ransomware families involves what
the Windows maker calls “user-assisted methods,” wherein the victim
downloads and installs trojanized applications.
Alternatively, it can also arrive as a second-stage payload
that’s dropped by an already existing malware on the infected host
or as part of a supply chain attack.
Irrespective of the modus operandi employed, the attacks proceed
along similar lines, with the threat actors relying on legitimate
operating system features and exploiting vulnerabilities to break
into the systems and encrypt files of interest.
This includes the use of the Unix find utility as well as
library functions like opendir, readdir, and closedir to enumerate
files. Another method pointed out by Microsoft, but not adopted by
the ransomware strains, entails the NSFileManager[3]
Objective-C interface.
KeRanger, MacRansom, and EvilQuest have also been observed to
utilize a combination of hardware- and software-based checks to
determine if the malware is running in a virtual environment in an
attempt to resist analysis and debugging attempts.
KeRanger, notably, employs a technique known as delayed
execution to escape detection. It achieves this by sleeping for
three days upon its launch before kick-starting its malicious
functions.
Persistence, which is essential to ensuring that the malware is
run even after a system restart, is established by means of
launch agents[4]
and kernel queues[5], Microsoft pointed
out.
While FileCoder uses the ZIP utility to encrypt files, KeRanger
uses AES encryption[6]
in cipher block chaining (CBC[7]) mode to achieve its
goals. Both MacRansom and EvilQuest, on the other hand, leverage a
symmetric encryption[8]
algorithm.
EvilQuest, which was first exposed[9]
in July 2020, further goes beyond typical ransomware to incorporate
other trojan-like features, such as keylogging, compromising Mach-O
files by injecting arbitrary code, and disabling security
software.
It also packs in capabilities to execute any file directly from
memory, effectively leaving no trace of the payload on disk.
“Ransomware continues to be one of the most prevalent and
impactful threats affecting organizations, with attackers
constantly evolving their techniques and expanding their tradecraft
to cast a wider net of potential targets,” Microsoft said.
Found this article interesting? Follow us on Twitter [10] and LinkedIn[11] to read more exclusive
content we post.
References
- ^
KeRanger
(unit42.paloaltonetworks.com) - ^
said
(www.microsoft.com) - ^
NSFileManager
(developer.apple.com) - ^
launch
agents (attack.mitre.org) - ^
kernel
queues (developer.apple.com) - ^
AES
encryption (en.wikipedia.org) - ^
CBC
(en.wikipedia.org) - ^
symmetric encryption
(en.wikipedia.org) - ^
first
exposed (thehackernews.com) - ^
Twitter
(twitter.com) - ^
LinkedIn
(www.linkedin.com)
Read more https://thehackernews.com/2023/01/microsoft-reveals-tactics-used-by-4.html
