Tuesday, 8 March 2016

KeRanger - OSX Ransomeware

March 4th Palo Alto Networks Research Center detected the first known fully functional Ransomware on OSX.

Ransomware is a type of Malware that restricts access to the affected computer system in some way, typically by encrypting the User files on a computer using an Asymmetric Encryption algorithm where the Private Key required to decrypt the files is not stored on the infected machine, and to get access to the Private key the infected party would be required to pay the 'Ransom' to unlock their files. The transactions are normally conducted using digital currency such at BitCoin.

Attackers infected two installers of Transmissions BitTottent Client 2.90 with the KeRanger Malware.

The installer was signed with a valid Apple Developers Certficate which was trusted by the OSX Gatekeeper process allowing the Ransomware to be installed undetecetd by the OSX security safeguards.

As soon as this was reported to Apple by the team at the PaloAlto Research Center Apple revoked the developers signing certificate and released an XProtect update.

XProtect maintains a list of know-bad applications which can be checked by File-Quarantine aware applications such as Safari, Chrome and Mail. When a user opens downloaded files, File-Quarantine checks if it matches any of the entries in the XProtect.plist file (System/Library/Core Services/CoreTypes.bundle/Contents/Resources/XProtect.plist) and displays the warning if a match is found. These XProtect updates are distributed via the Apple Updates mechanism and are called ConfigData updates.

The Transmission Project have also been alerted and they have removed the infected installers from the website.

For more technical details and IOC's please refer directly to the original PaloAlto Research Centre article or the AlienVault OTX Pulse

No comments:

Post a Comment