Unfinished ransomware for MacOS X

A Trojan encrypter for Mac OS X is something we haven’t yet seen, but is, it seems, totally realistic.  We found one example of such malware in the wilds of the Internet, more precisely on the not unknown site  But don’t all rush to hide your documents from this ransomware — we conducted a detailed analysis of Trojan-Ransom.OSX.FileCoder.a and the results were slightly disappointing.

The first thing that jumped out at us when studying the Trojan was the announcement with the demand for money for restoring the user’s files, which is typical for the Trojan-Ransom family.

It was this that steered us towards further study of the functionality of the Trojan-Ransom.OSX.FileCoder.a.  We wanted to know exactly how the Trojan would encrypt files and extort money.  The more so as it was written with the use of the Qt framework, and if the potential victim doesn’t have these instruments installed the malware doesn’t completely work.  An unusual decision considering that the Qt framework is encountered comparatively rarely on users’ computers.

It turns out that after starting Trojan-Ransom.OSX.FileCoder.a finds file .d163c127f802d4c2a2abae36a429277b in the home directory of the user and decrypts it using the AES algorithm.  The secret cypher key is stored in the code of the Trojan and does not change.  The decoded file is saved under the name .decrypted-.d163c127f802d4c2a2abae36a429277b.  Further Trojan-Ransom.OSX.FileCoder.a encrypts the file  .8c8790f8d6377dd45b83b113809584a2 using the same code and saves it with the name .encrypted-.8c8790f8d6377dd45b83b113809584a2.  Both processed files are similar, they were added by the malware author to check it works and their names are hardwired into the code.

After the encryption process has finished the Trojan informs the user that his documents are supposedly damaged.  As, at the moment, Trojan-Ransom.OSX.FileCoder.a encrypts only its own files and can not even obtain a list of files in the home directory of the user, the list of documents to be restored is empty.


After clicking the button “Restore documents” a new window opens in which the Trojan authors offer the user the option of restoring his/her documents and state that they are the only people who can help.  The victim only needs to select the most convenient payment system and send the sum demanded by the blackmailers.


At this point it became totally clear that Trojan-Ransom.OSX.FileCoder.a is a relatively harmless program which could be turned into a fully functioning Trojan encrypter demanding money from its victims, but for some reason this had not been done.

Perhaps the Trojan should have encrypted all documents, images and other files in the home listing of the user with a key received from a C&C server (as is done with Windows encrypters).   And as an identifier for tying the encryption key to the victim’s computer it was planned to use the unique equipment identifier IOPlatformUUID, which is returned by the following call (also present in the code):

The code also contains the address of the C&C server – http://dv1208.local/key.php.  The .local domain shows that at the moment of creation of Trojan-Ransom.OSX.FileCoder.a the server was located on the local computer of the author.

Judging by, this example of Trojan-Ransom.OSX.FileCoder.a is already two years old and a completed version has still not been detected — clearly something didn’t work out for the author.  Let’s hope it still hasn’t.

Unfinished ransomware for MacOS X

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox