Saturday, June 15, 2024

Microsoft Details Techniques Used by Hackers to Deliver Ransomware to macOS Devices

One of the most dominating threats in the current cyberspace era is ransomware which is constantly affecting organizations of all sizes. In order to cast a wider net of potential targets, attackers are constantly changing their tactics and expanding their tradecraft to make sure that they are successful.

As a result of ransomware attacks, a wide range of industries, systems, and platforms are being affected. When it comes to protecting hybrid devices and working environments at work today, it is vital to understand how ransomware works across these systems and platforms.

In contrast to other platforms, Mac ransomware tends to rely substantially on user assistance such as downloading and running fake applications or trojanized programs to infect computers.

Unveiling the TTPs of Ransomware

During ransomware campaigns, the attackers typically gain access to a target device, execute the malware, encrypt the files belonging to the target, and inform the target of a ransom demand and request for payment.

The following steps are taken by malware creators in order to accomplish these objectives:-

  • Abuses legitimate functionalities
  • Devise various techniques to exploit vulnerabilities
  • Evade defenses
  • Force users to infect their devices

Microsoft analyzed the following four Mac ransomware families:-

  • KeRanger
  • FileCoder
  • MacRansom
  • EvilQuest

Technical Analysis 

It is important for ransomware to target which files to encrypt in order to gain the greatest amount of success. Based on Microsoft’s observations, ransomware families enumerate files and directories in several different ways on Mac as follows:-

  • Using the Find binary
  • Using library functions opendir, readdir, and closedir
  • Using the NSFileManager class through Objective-C

The primary goal of malware creators is to prevent or evade the analysis of files by either the human analyst or an automated analysis system.

Among the ransomware families discussed above, either hardware-based checks are employed to ensure that the ransomware is not detected, or special code is made to prevent analysis of the ransomware.

As far as hardware-based checks are concerned, they are the following:-

  • Checking a device’s hardware model
  • Checking the logical and physical processors of a device
  • Checking the MAC OUI of the device
  • Checking the device’s CPU count and memory size

Among the checks related to the code are the following:-

  • Delayed execution
  • P_TRACED flag
  • Time-based check

It is quite common for malware to use persistence to make sure it continues to run even after the system has been restarted.

The EvilQuest and MacRansom ransomware families, among the Mac ransomware families that have been analyzed, have both utilized persistence techniques.

As a result, these malware families use a variety of persistence techniques to maintain their presence in the system. And here below we have mentioned the persistence techniques:-

  • Creating launch agents or launch daemons
  • Using kernel queues

There are often similarities in the anti-analysis and persistence techniques of the ransomware families that we have analyzed. There is, however, a difference in the encryption logic between these ransomware families. 

The encryption of files is often done using AES-RSA algorithms, while other techniques are used, such as system utilities, XOR routines, or custom algorithms.

The methods for encrypting data vary from adding a patch in place to deleting the original file and creating a new one in its place. As part of its implementation of in-memory execution, EvilQuest uses the following APIs:-

  • NSCreateObjectFileImageFromMemory – used for creating an object file image from the data present in memory
  • NSLinkModule – used to link the object file image
  • NSLookupSymbolInModule – used for looking for a specific symbol
  • NSAddressOfSymbol – used to get the address of the symbol.


It is possible for defenses to mitigate the impact of ransomware attacks by taking the following mitigation steps:-

  • Do not install apps from sources other than the official app store of the software platform.
  • Protect privileged resources by restricting access to them.
  • Use a web browser that supports Microsoft Defender SmartScreen, such as Microsoft Edge.
  • Keep your operating system and applications up-to-date by installing the latest versions of them.
  • On your Mac, make sure you are using Microsoft Defender for Endpoints.

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles