OSX Ransomware Spread via a Rogue BitTorrent Client Installer

Published: 2016-03-07
Last Updated: 2016-03-07 10:42:18 UTC
by Xavier Mertens (Version: 1)
5 comment(s)

More a tool, a platform or an environment is popular, more it will be targeted. Those who still think that they are safe with their OSX environment are wrong. Manuel wrote a diary two months ago about a ransomware written in JavaScript (and that could affect different environments). Yesterday, a native malware for OSX has been detected and analyzed by Palo Alto Networks. It is called "KeRanger" and is spread via a malicious installation package of Transmission, a popular BitTorrent client. The malicious file was available for download on the official Transmission website which suggests that it was maybe compromised.
 
Once installed, the ransomware will wait three days before activating itself. It communicates with its C2 via Tor. The ransom is 1BC (~$400). Note that the binary is signed with a legit developer certificate and that it also attempts to encrypt TimeMachine backups (which are very popular and used by most OSX users!). 
 
The malicious file MD5 is 24a8f01cfdc4228b4fc9bb87fedf6eb7 and its current VT score is 0!

Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key

5 comment(s)

Comments

Hence why you set Gatekeeper to Mac APP Store only. The fact that Sans does not address the poor hype related to this is sad. I wonder if these are the same people who advised the FBI to change the iCloud password on a phone.

Everyone knows APPS that are distributed via developers sites are far more susceptible to Library and code tampering. Not to mention various Ad trackers. This was never in the Mac APP store and APPLE revoked the certificate right away.

So pro-tip, set Gatekeeper to Mac APP Store, stay in the Apple ecosystem. Do not disable eco-system protections. Do not click these articles, let the click bait ecosystem die. Sans should support this, after all, are they for the public good?

Oh, never change a phone's setting when it is evidence... Remember it is evidence.
On paper, this is a good recommendation indeed but the human behavior goes in the other way.
If a nice or juicy application is available via a developer's website, it's not easy to prevent users to get & run the installer.
[quote=comment#36561]Hence why you set Gatekeeper to Mac APP Store only.[/quote]

While it's true this affords you additional protections I think you are way over confident in Apple's ability to detect malicious applications submitted to the Mac App store. The developers of this malware obviously were in a position to steal the developer's code signing certificate, so it's not difficult to reason they could have also stolen the developer's credentials and submitted an App store update. I'm sure Apple does some basic level of checking, but I'm also sure malware authors are equally as smart and can and will find a way to get malicious code approved. Even if App Store security was perfect, we know Gatekeeper is not and Gatekeeper bypasses exist. As researchers like Patrick Wardle have shown, OS X is ripe for the picking when it comes to malware and bad actors haven't even began to scratch the surface on what is possible. Combine that with the complete lack of any security or endpoint protection tools on OS X that actually do anything more than simple hash matching, we are living in the eye of an OS X malware storm. It's coming and Apple better step up their game.
[quote=comment#36561]Hence why you set Gatekeeper to Mac APP Store only. The fact that Sans does not address the poor hype related to this is sad. I wonder if these are the same people who advised the FBI to change the iCloud password on a phone.

Everyone knows APPS that are distributed via developers sites are far more susceptible to Library and code tampering. Not to mention various Ad trackers. This was never in the Mac APP store and APPLE revoked the certificate right away.

So pro-tip, set Gatekeeper to Mac APP Store, stay in the Apple ecosystem. Do not disable eco-system protections. Do not click these articles, let the click bait ecosystem die. Sans should support this, after all, are they for the public good?

Oh, never change a phone's setting when it is evidence... Remember it is evidence.[/quote]

And what is preventing a threat actor from stealing a code signing cert and login credentials for a legit app on the Mac App Store? User awareness is key in these situations. Also, control the environment. Know what you are installing and limit who can install apps. Sort of what we do for Windows environments.
[quote=comment#36569]The developers of this malware obviously were in a position to steal the developer's code signing certificate, so it's not difficult to reason they could have also stolen the developer's credentials[/quote]No one has claimed that the certificate was stolen, just that it didn't belong to the developer of Transmission. All it takes is a name, phone number, address, e-mail (all of which can be fake) then a stolen credit card number and $99 to get a DeveloperID from Apple, so why go to the trouble of stealing one.

Diary Archives