Microsoft published on Jan. 5 — and then redacted on Jan. 6 — a report that detailed four ransomware families hitting macOS devices. When it comes to cybersecurity threats such as ransomware, most systems affected are usually Windows or Linux, so the news made a splash because it was about macOS devices.
But Patrick Wardle, founder of the Objective-See Foundation, pointed out is Twitter that the report had no citations and closely aligned with similar reporting done in his book The Art of Mac Malware, published in July 2022.
SEE: Clean your Mac before you break down and buy a new one (TechRepublic Academy)
Microsoft took down the article and communicated in a tweet to explain the reason for this removal (Figure A) in a response to Wardle, stopping short of apologizing for the post.
Image: Twitter. Communication from Microsoft
While Microsoft has taken down the post, the findings are detailed below.
Initial Mac compromise is unremarkable
The initial compromise to plant ransomware on Mac uses the same methods as any other infection. Cybercriminals use email, fake applications, or entice users to download files, which will infect their computer with malware. Ransomware on Mac might arrive via second stage payloads as well. In that case, the ransomware is dropped and executed on the system via another malware or is part of a supply chain attack.
From a technical point of view, Microsoft mentions that “malware creators abuse legitimate functionalities and devise various techniques to exploit vulnerabilities, evade defenses or coerce users to infect their devices.”
Ransomware techniques on Mac
Microsoft uses four known ransomware families to explain the malware techniques on Mac: KeRanger, FileCoder, MacRansom and EvilQuest.
Anti-analysis techniques used by MacRansom and EvilQuest
Anti-analysis techniques are deployed by malware to evade analysis or render the file analysis much more complex and difficult for researchers and malware sandboxes.
One technique commonly seen is the check of hardware-based items, to determine if the malware is running in a virtualized environment, which is often a strong indication that the malware is running in a test lab or a sandbox.
MacRansom uses the sysctl command to get the hw.model variable from the system. Should it run from a virtual machine, its value would be different. MacRansom also checks the difference between the number of logical and physical CPUs, as results in a virtualized environment are different from a host operating system.
EvilQuest ransomware checks the Mac organizationally unique identifier to determine the device vendor. It gets the MAC address of the en0 network interface and compares it with known values, to determine if a virtual machine is used.
SEE: Microsoft Defender protects Mac and Linux from malicious websites (TechRepublic)
In addition, EvilQuest checks the device memory size, as virtual machines tend to have few memory allocated. If it is less than 1GB of memory, the malware estimates it is running in a virtual environment. The number of CPUs is checked, too, and if there are less than two, the malware once again will consider it does not run on a usual user environment.
KeRanger ransomware, when launched, sleeps for three days before executing its malicious payload, to avoid being detected in sandboxes which only run the sample for a few minutes.
Yet several sandboxes do handle that kind of situation by patching the sleep function to avoid waiting for days. Once again, this can be bypassed: EvilQuest uses two different sleep calls and checks the difference in the result. If the result is the same, the malware knows the sleep function is patched.
EvilQuest and MacRansom also prevent debugging by preventing the debugger from attaching to the current malware process.
Launch Agents and Launch Daemons might be easily used by malware to initiate launch. A property list file is used to specify configurations and properties in respective directories to gain persistence.
Kernel queues are another way to achieve persistence. EvilQuest uses it to restore itself based on notifications it receives in case of modification of files it monitors.
As many different encryption schemes do exist, ransomware families differ in the way they encrypt data.
FileCoder ransomware uses the public ZIP software to encrypt data, with a randomly-generated password for encryption. It recursively encrypts files in the /Users and /Volumes folders. This method of using the ZIP utility has an obvious benefit: The ransomware developer does not need to implement any encryption and relies on a solid encryption provided by a third party.
KeRanger malware is developed to use AES encryption in cipher block chaining mode to encrypt files.
MacRansom uses a hardcoded key permuted with a random number to encrypt data, while EvilQuest encrypts content using a custom symmetric key encryption routine.
File enumeration is a critical operation for ransomware operators. It consists of finding which files to target for encryption on a system or network. Several methods are used by ransomware on Mac to achieve that goal.
‘Find’ command-line binary
FileCoder and MacRansom make use of the “find” utility to search for files to encrypt. This utility is native on several systems such as Linux and macOS and has several options to help attackers.
The output of the find command is then provided to the malware in order to run its operations on the discovered files.
SEE: The most dangerous and destructive ransomware groups of 2022 (TechRepublic)
FileCoder recursively enumerates all files from the macOS /Users and /Volumes folders, excluding files named README!.txt.
MacRansom is more specific: It searches for files in the /Volumes and the current user’s home folder, but it checks for files bigger than 8 bytes, belonging to the current user for which they have read permissions enabled.
Enumerating via libraries
KeRanger and EvilQuest use standard library functions such as opendir(), readdir() and closedir() to enumerate files on affected systems.
Those are standard functions used by many developers who need to manipulate files.
EvilQuest ransomware pushes it further
The analysis of EvilQuest revealed that it contained more functionalities than merely encrypting files for ransom. It even has variants that do not contain the ransomware payload anymore.
- EvilQuest has the ability to infect Mach object file format (Mach-O) files by prepending its code to targeted files.
- When executed, the infected files will run the EvilQuest code before running the legitimate code of the executable file.
- EvilQuest might contain keylogging functionalities and tries to escape security processes to evade detection by checking if running processes belong to a hardcoded list of security tools patterns. Should the malware see matches, it would then stop the process and remove executable permission from the process file.
- Some variants of EvilQuest use in-memory execution, preventing any disk storage for the malware and rendering the detection more difficult.
How to protect from the ransomware threat on macOS?
It is strongly advised to always have an up to date and patched operating system and software, to avoid being infected via common vulnerabilities. It is also advised to never install software from an untrusted source such as a download platform. Instead, only legitimate application stores should be used.
Antivirus and security solutions should be deployed on Mac devices, and user privileges should be carefully checked, so users are only allowed to access the data they need and not all of the company’s data, especially on network shares.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.