Transmission for mac book1/3/2024 ![]() When we were analyzing the samples, the C2 server returned the data for the README_FOR_DECRYPT.txt shown in following picture. After decoding these two lines using Base64, the first line contains an RSA public key and the second line is written to files named “README_FOR_DECRYPT.txt.”įigure 6 Connect with C2 server and get instructions The executable will keep trying to connect with the C2 server until it respond with two lines of encoded data. ![]() These servers’ domains are all sub-domains of onionlink or onionnu, two domains that host servers only accessible over the Tor network. The General.rtf will collect infected Mac’s model name and UUID, upload the information to one of its C2 servers. Note that, in a different sample of KeRanger we discovered, the malware also sleeps for three days, but also makes requests to the C2 server every five minutes.įigure 5 KeRanger sleeps for three days before fully executing The first time it executes, KeRanger will create three files “.kernel_pid”, “.kernel_time” and “.kernel_complete” under ~/Library directory and write the current time to “.kernel_time”. When users click these infected apps, their bundle executable Transmission.app/Content/MacOS/Transmission will copy this General.rtf file to ~/Library/kernel_service and execute this “kernel_service” before any user interface appearing.įigure 3 The malicious executable pretends to be an RTF documentįigure 4 KeRanger executes the extra General.rtf fileĪfter unpacking the General.rtf with UPX, we determined that its main behavior is to encrypt the user’s files and hold them for ransom. It uses an icon that looks like a normal RTF file but is actually a Mach-O format executable file packed with UPX 3.91. The KeRanger infected Transmission installers include an extra file named General.rtf in the Transmission.app/Contents/Resources directory. In the code signing information, we found that these installers were generated and signed on the morning of March 4.įigure 2 Code signing information of KeRanger The developer listed this certificate is a Turkish company with the ID Z7276PX673, which was different from the developer ID used to sign previous versions of the Transmission installer. The two KeRanger infected Transmission installers were signed with a legitimate certificate issued by Apple. Palo Alto Networks has also updated URL filtering and Threat Prevention to stop KeRanger from impacting systems. Apple has since revoked the abused certificate and updated XProtect antivirus signature, and Transmission Project has removed the malicious installers from its website. Palo Alto Networks reported the ransomware issue to the Transmission Project and to Apple on March 4. Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data. After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files. The malware then begins encrypting certain types of document and data files on the system. KeRanger then waits for for three days before connecting with command and control (C2) servers over the Tor anonymizer network. ![]() If a user installs the infected apps, an embedded executable file is run on the system. The KeRanger application was signed with a valid Mac app development certificate therefore, it was able to bypass Apple’s Gatekeeper protection. It’s possible that Transmission’s official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred.įigure 1 KeRanger hosted in Transmission's official website When we identified the issue, the infected DMG files were still available for downloading from the Transmission site (hxxps:///files/Transmission-2.90dmg) Transmission is an open source project. As FileCoder was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform.Īttackers infected two installers of Transmission version 2.90 with KeRanger on the morning of March 4. We have named this Ransomware “KeRanger.” The only previous ransomware for OS X we are aware of is FileCoder, discovered by Kaspersky Lab in 2014. On March 4, we detected that the Transmission BitTorrent client installer for OS X was infected with ransomware, just a few hours after installers were initially posted.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |