In a new report, Microsoft revealed the in-use tactics of four different ransomware families, namely KeRanger, FileCoder, MacRansom, and EvilQuest - all four targeting macOS systems.
Probing the macOS threats
According to the report, the malware families are old and display a range of capabilities. - The initial vector for all these malware is a user-assisted method, where the victim downloads and installs trojanized apps.
- Further, the malware can arrive as a second-stage payload dropped by existing malware as part of a supply chain attack.
- Irrespective of the initial attack vector, the attackers rely on genuine OS features for later stages and abuse flaws to break into the systems and encrypt files.
Insights into tactics used
- File Enumeration: FileCoder and MacRansom use Unix find utility, while KeRanger and EvilQuest use other library functions such as readdir, closedir, and opendir to access and organize files.
- Analysis evasion: KeRanger employs the delayed execution technique, where post-infection, it stays silent for three days to escape detection. MacRansom, EvilQuest, and KeRanger use a combination of hardware- and software-based checks to find out if the malware is running in a virtual environment to resist analysis.
- Encryption: FileCoder uses the ZIP utility to encrypt files, while KeRanger uses AES encryption in Cipher block chaining mode. MacRansom and EvilQuest use custom symmetric algorithms for file encryption. Further, EvilQuest has trojan-like features, such as keylogging and compromising Mach-O files by injecting arbitrary code.
Closing thoughts
Ransomware actors are regularly upgrading their malware to make them more efficient while evading security systems with new techniques. Understanding the usual tactics and routines of these malware can help organizations step up their data protection and cyber defense strategy. Security teams are advised to use real-time threat intelligence to keep up with changing TTPs of ransomware threats.