Monday, October 7, 2024
HomemacOSMicrosoft Details Techniques Used by Hackers to Deliver Ransomware to macOS Devices

Microsoft Details Techniques Used by Hackers to Deliver Ransomware to macOS Devices

Published on

One of the most dominating threats in the current cyberspace era is ransomware which is constantly affecting organizations of all sizes. In order to cast a wider net of potential targets, attackers are constantly changing their tactics and expanding their tradecraft to make sure that they are successful.

As a result of ransomware attacks, a wide range of industries, systems, and platforms are being affected. When it comes to protecting hybrid devices and working environments at work today, it is vital to understand how ransomware works across these systems and platforms.

In contrast to other platforms, Mac ransomware tends to rely substantially on user assistance such as downloading and running fake applications or trojanized programs to infect computers.

- Advertisement - EHA

Unveiling the TTPs of Ransomware

During ransomware campaigns, the attackers typically gain access to a target device, execute the malware, encrypt the files belonging to the target, and inform the target of a ransom demand and request for payment.

The following steps are taken by malware creators in order to accomplish these objectives:-

  • Abuses legitimate functionalities
  • Devise various techniques to exploit vulnerabilities
  • Evade defenses
  • Force users to infect their devices

Microsoft analyzed the following four Mac ransomware families:-

  • KeRanger
  • FileCoder
  • MacRansom
  • EvilQuest

Technical Analysis 

It is important for ransomware to target which files to encrypt in order to gain the greatest amount of success. Based on Microsoft’s observations, ransomware families enumerate files and directories in several different ways on Mac as follows:-

  • Using the Find binary
  • Using library functions opendir, readdir, and closedir
  • Using the NSFileManager class through Objective-C

The primary goal of malware creators is to prevent or evade the analysis of files by either the human analyst or an automated analysis system.

Among the ransomware families discussed above, either hardware-based checks are employed to ensure that the ransomware is not detected, or special code is made to prevent analysis of the ransomware.

As far as hardware-based checks are concerned, they are the following:-

  • Checking a device’s hardware model
  • Checking the logical and physical processors of a device
  • Checking the MAC OUI of the device
  • Checking the device’s CPU count and memory size

Among the checks related to the code are the following:-

  • Delayed execution
  • PT_DENY_ATTACH (PTRACE)
  • P_TRACED flag
  • Time-based check

It is quite common for malware to use persistence to make sure it continues to run even after the system has been restarted.

The EvilQuest and MacRansom ransomware families, among the Mac ransomware families that have been analyzed, have both utilized persistence techniques.

As a result, these malware families use a variety of persistence techniques to maintain their presence in the system. And here below we have mentioned the persistence techniques:-

  • Creating launch agents or launch daemons
  • Using kernel queues

There are often similarities in the anti-analysis and persistence techniques of the ransomware families that we have analyzed. There is, however, a difference in the encryption logic between these ransomware families. 

The encryption of files is often done using AES-RSA algorithms, while other techniques are used, such as system utilities, XOR routines, or custom algorithms.

The methods for encrypting data vary from adding a patch in place to deleting the original file and creating a new one in its place. As part of its implementation of in-memory execution, EvilQuest uses the following APIs:-

  • NSCreateObjectFileImageFromMemory – used for creating an object file image from the data present in memory
  • NSLinkModule – used to link the object file image
  • NSLookupSymbolInModule – used for looking for a specific symbol
  • NSAddressOfSymbol – used to get the address of the symbol.

Recommendation

It is possible for defenses to mitigate the impact of ransomware attacks by taking the following mitigation steps:-

  • Do not install apps from sources other than the official app store of the software platform.
  • Protect privileged resources by restricting access to them.
  • Use a web browser that supports Microsoft Defender SmartScreen, such as Microsoft Edge.
  • Keep your operating system and applications up-to-date by installing the latest versions of them.
  • On your Mac, make sure you are using Microsoft Defender for Endpoints.

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hybrid Analysis Utilizes Criminal IP’s Robust Domain Data for Better Malware Detection

Criminal IP, a renowned Cyber Threat Intelligence (CTI) search engine developed by AI SPERA,...

RCE Vulnerability (CVE-2024-30052) Allow Attackers To Exploit Visual Studio via Dump Files

The researcher investigated the potential security risks associated with debugging dump files in Visual...

Cacti Network Monitoring Tool Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been identified in the Cacti network monitoring tool that...

Microsoft & DOJ Dismantles Hundreds of Websites Used by Russian Hackers

Microsoft and the U.S. Department of Justice (DOJ) have disrupted the operations of Star...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

macOS Sequoia Update Breaks Multiple Security Tools

Apple's latest operating system update, macOS 15, also known as Sequoia, has disrupted the...

Apple Tightens macOS Gatekeeper Controls in macOS Sequoia

Apple has announced changes to its macOS Gatekeeper security feature with the release of...

Malicious Python Package Attacking macOS Developers To Steal Google Cloud Logins

Hackers continuously exploit malicious Python packages to attack developer environments and inject harmful code...