Site icon Sophos News

RSA 2017: Deconstructing macOS ransomware

This is the third in a four-part series about SophosLabs’ 2017 malware forecast, released this week at RSA Conference in San Francisco. Part 1 looked at malware targeting Linux and Internet-of-things (IoT) devices. Part 2 examined malware targeting Android. Today’s installment is about malware designed for macOS. Special thanks to SophosLabs researcher Xinran Wu for contributing the research for this part.

 
Though Mac malware is comparatively rare, Apple computers are not immune, as this year’s SophosLabs malware forecast shows. Mac malware is often technically sneaky and geared towards harvesting data or providing covert remote access to thieves.

What follows are two examples: OSX/KeRanger-A, and OSX/PWSSync-B.

OSX/KeRanger-A

The first official Transmission app (version 2.90) infected with OSX/KeRanger-A was discovered in early March 2016. A couple days later the infected version was removed and placed in a hard-coded KeRanger check that was part of version 2.92.

Attackers essentially copied the ransomware formula that had served them so well on Windows. They set out to:

Victims get the following message:

To prevent getting infected, Sophos at the time recommended the following actions:

OSX/PWSSync-B

Another example of trouble for Mac users came in August, when a bogus version of Transmission 2.92 was uploaded that contained malware known as OSX/PWSSync-B. Ironically, the main feature added when 2.92 was released was a malware removal utility for MacOS ransomware OSX/KeRanger-A.

A similar hack applied to the Transmission app occurred that same month. The hacked Transmission program itself contained only a tiny change: a small snippet of code added at the start that loads a file called License.rtf that is packaged into the application bundle. (Last time, the sneaky extra file was General.rtf.)

The file License.rtf sounds innocent enough – what software doesn’t include a licensing document somewhere? – and opening it seems equally reasonable.

Except that this license isn’t what it seems.

It was actually an MacOS executable (program file) that:

Those affected:

The bad guys gained enough traction with these attacks for SophosLabs to expect more in 2017.

Coming tomorrow: Microsoft Word Intruders stepping outside Office


Exit mobile version