Microsoft recently revealed four strains of ransomware targeting Apple macOS systems – KeRanger, FileCoder, MacRansom, and EvilQuest. These malware variants showcase the range of malicious activity that can occur on macOS. According to Microsoft’s Security Threat Intelligence team, these viruses are typically transmitted through user-assisted methods such as trojanized applications, or even as a second-stage payload dropped by existing malware or during a supply chain attack. Such an insidious approach serves to further highlight the need for secure protection and vigilance when downloading from unverified sources.
To infiltrate systems and encrypt important files, the threat actors behind ransomware campaigns utilize several tactics. One common approach is to exploit vulnerabilities while making use of pre-existing operating system components such as Unix’s find utility and library functions like opendir, readdir, and closedir to identify key documents. Microsoft has further highlighted the NSFileManager Objective-C interface; however, malicious strains such as KeRanger, MacRansom, and EvilQuest generally evade this option by employing both hardware- and software-based tests to ascertain if their code is being run on a virtual environment or not, thereby curbing debugging efforts.
Noted for its use of delayed execution, KeRanger evades detection by first sleeping for three days and then initiating malicious functions. For maintaining persistence even after a system restart, the ransomware makes use of launch agents and kernel queues as explained by Microsoft. Compared to FileCoder, which relies on ZIP to encrypt files, KeRanger employs the Advanced Encryption Standard (AES) with Cipher Block Chaining (CBC). Both MacRansom and EvilQuest apply symmetric encryption algorithms while EvilQuest is equipped with an array of Trojan-like characteristics. These include keylogging, infecting Mach-O files by injecting arbitrary code, disabling the security software, and running payloads from memory without leaving any traces on the disk.
Ransomware continues to be a significant issue that impacts many organizations. Attackers are constantly innovating their strategies, allowing them to widen their attack base and inflict more damage. Microsoft warned of these evolving tactics.