Research

Unfinished ransomware for MacOS X

A Trojan encrypter for Mac OS X is something we haven’t yet seen, but is, it seems, totally realistic.  We found one example of such malware in the wilds of the Internet, more precisely on the not unknown site virustotal.com.  But don’t all rush to hide your documents from this ransomware — we conducted a detailed analysis of Trojan-Ransom.OSX.FileCoder.a and the results were slightly disappointing.

The first thing that jumped out at us when studying the Trojan was the announcement with the demand for money for restoring the user’s files, which is typical for the Trojan-Ransom family.

It was this that steered us towards further study of the functionality of the Trojan-Ransom.OSX.FileCoder.a.  We wanted to know exactly how the Trojan would encrypt files and extort money.  The more so as it was written with the use of the Qt framework, and if the potential victim doesn’t have these instruments installed the malware doesn’t completely work.  An unusual decision considering that the Qt framework is encountered comparatively rarely on users’ computers.

It turns out that after starting Trojan-Ransom.OSX.FileCoder.a finds file .d163c127f802d4c2a2abae36a429277b in the home directory of the user and decrypts it using the AES algorithm.  The secret cypher key is stored in the code of the Trojan and does not change.  The decoded file is saved under the name .decrypted-.d163c127f802d4c2a2abae36a429277b.  Further Trojan-Ransom.OSX.FileCoder.a encrypts the file  .8c8790f8d6377dd45b83b113809584a2 using the same code and saves it with the name .encrypted-.8c8790f8d6377dd45b83b113809584a2.  Both processed files are similar, they were added by the malware author to check it works and their names are hardwired into the code.

After the encryption process has finished the Trojan informs the user that his documents are supposedly damaged.  As, at the moment, Trojan-Ransom.OSX.FileCoder.a encrypts only its own files and can not even obtain a list of files in the home directory of the user, the list of documents to be restored is empty.

kuzin_osx-ransom_02

After clicking the button “Restore documents” a new window opens in which the Trojan authors offer the user the option of restoring his/her documents and state that they are the only people who can help.  The victim only needs to select the most convenient payment system and send the sum demanded by the blackmailers.

kuzin_osx-ransom_03

At this point it became totally clear that Trojan-Ransom.OSX.FileCoder.a is a relatively harmless program which could be turned into a fully functioning Trojan encrypter demanding money from its victims, but for some reason this had not been done.

Perhaps the Trojan should have encrypted all documents, images and other files in the home listing of the user with a key received from a C&C server (as is done with Windows encrypters).   And as an identifier for tying the encryption key to the victim’s computer it was planned to use the unique equipment identifier IOPlatformUUID, which is returned by the following call (also present in the code):

The code also contains the address of the C&C server – http://dv1208.local/key.php.  The .local domain shows that at the moment of creation of Trojan-Ransom.OSX.FileCoder.a the server was located on the local computer of the author.

Judging by virustotal.com, this example of Trojan-Ransom.OSX.FileCoder.a is already two years old and a completed version has still not been detected — clearly something didn’t work out for the author.  Let’s hope it still hasn’t.

Unfinished ransomware for MacOS X

Your email address will not be published. Required fields are marked *

 

Reports

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Subscribe to our weekly e-mails

The hottest research right in your inbox