Unfinished ransomware for MacOS X

A Trojan encrypter for Mac OS X is something we haven’t yet seen, but is, it seems, totally realistic.  We found one example of such malware in the wilds of the Internet, more precisely on the not unknown site virustotal.com.  But don’t all rush to hide your documents from this ransomware — we conducted a detailed analysis of Trojan-Ransom.OSX.FileCoder.a and the results were slightly disappointing.

The first thing that jumped out at us when studying the Trojan was the announcement with the demand for money for restoring the user’s files, which is typical for the Trojan-Ransom family.

It was this that steered us towards further study of the functionality of the Trojan-Ransom.OSX.FileCoder.a.  We wanted to know exactly how the Trojan would encrypt files and extort money.  The more so as it was written with the use of the Qt framework, and if the potential victim doesn’t have these instruments installed the malware doesn’t completely work.  An unusual decision considering that the Qt framework is encountered comparatively rarely on users’ computers.

It turns out that after starting Trojan-Ransom.OSX.FileCoder.a finds file .d163c127f802d4c2a2abae36a429277b in the home directory of the user and decrypts it using the AES algorithm.  The secret cypher key is stored in the code of the Trojan and does not change.  The decoded file is saved under the name .decrypted-.d163c127f802d4c2a2abae36a429277b.  Further Trojan-Ransom.OSX.FileCoder.a encrypts the file  .8c8790f8d6377dd45b83b113809584a2 using the same code and saves it with the name .encrypted-.8c8790f8d6377dd45b83b113809584a2.  Both processed files are similar, they were added by the malware author to check it works and their names are hardwired into the code.

After the encryption process has finished the Trojan informs the user that his documents are supposedly damaged.  As, at the moment, Trojan-Ransom.OSX.FileCoder.a encrypts only its own files and can not even obtain a list of files in the home directory of the user, the list of documents to be restored is empty.


After clicking the button “Restore documents” a new window opens in which the Trojan authors offer the user the option of restoring his/her documents and state that they are the only people who can help.  The victim only needs to select the most convenient payment system and send the sum demanded by the blackmailers.


At this point it became totally clear that Trojan-Ransom.OSX.FileCoder.a is a relatively harmless program which could be turned into a fully functioning Trojan encrypter demanding money from its victims, but for some reason this had not been done.

Perhaps the Trojan should have encrypted all documents, images and other files in the home listing of the user with a key received from a C&C server (as is done with Windows encrypters).   And as an identifier for tying the encryption key to the victim’s computer it was planned to use the unique equipment identifier IOPlatformUUID, which is returned by the following call (also present in the code):

The code also contains the address of the C&C server – http://dv1208.local/key.php.  The .local domain shows that at the moment of creation of Trojan-Ransom.OSX.FileCoder.a the server was located on the local computer of the author.

Judging by virustotal.com, this example of Trojan-Ransom.OSX.FileCoder.a is already two years old and a completed version has still not been detected — clearly something didn’t work out for the author.  Let’s hope it still hasn’t.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *