{"id":7904,"date":"2017-06-09T07:40:03","date_gmt":"2017-06-09T15:40:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/06\/09\/news-1685\/"},"modified":"2017-06-09T07:40:03","modified_gmt":"2017-06-09T15:40:03","slug":"news-1685","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/06\/09\/news-1685\/","title":{"rendered":"MacRansom: Offered as Ransomware as a Service"},"content":{"rendered":"

Credit to Author: Rommel Joven and Wayne Chin Yick Low| Date: Fri, 09 Jun 2017 15:21:09 +0000<\/strong><\/p>\n

\n

 <\/p>\n

Many Mac OS users might assume that their computer is exempt from things like ransomware attacks and think that their system is somehow essentially “secure.” It is true that it’s less likely for a Mac OS user to be attacked or infected by malware than a Windows user, but this has nothing to do with the level of vulnerability in the operating system. It is largely caused by the fact that over 90% of personal computers run on Microsoft Windows and only around 6% on Apple Mac OS.<\/p>\n

\"\"<\/p>\n

Figure 1: Market share for desktop OS (reference: NetMarketShare<\/a>)<\/p>\n

MacRansom Portal<\/h1>\n

Just recently, we here at FortiGuard Labs discovered a Ransomware-as-a-service (RaaS) that uses a web portal hosted in a TOR network which has become a trend nowadays. However, in this case it was rather interesting to see cybercriminals attack an operating system other than Windows. And this could be the first time to see RaaS that targets Mac OS.<\/p>\n

\"\"<\/p>\n

Figure 2: TOR portal of MacRansom<\/p>\n

This MacRansom variant is not readily available through the portal. It is necessary to contact the author directly to build the ransomware. At first, we thought of it as a scam since there was no sample but to verify this we dropped the author an email and unexpectedly received a response.<\/p>\n

 <\/p>\n

\"\"<\/p>\n

Figure 3: About Us<\/p>\n

On our first email inquiring about the ransomware, we stated our requirements outlined by the author, such as the bitcoin amount for the target to pay, the date when to trigger the ransomware, and if it was to be  executable when someone plugs a USB drive.<\/p>\n

We sent the email around 11AM (GMT+8) and received the first response was around 9PM that same day.<\/p>\n

Response 1: (9PM)<\/em><\/p>\n

\"\"<\/p>\n

Agreeing on June 1st<\/sup> as the trigger date, and giving my bitcoin address, the author gladly sent the sample.<\/p>\n

Response 2: (11AM)<\/em><\/p>\n

\"\"<\/p>\n

Since the author replied quite promptly to us, we tried to dig deeper by asking more about the ransomware:<\/p>\n

\"\"<\/p>\n

Response 3: (12 AM)<\/em><\/p>\n

\"\"<\/p>\n

Observing the time of the responses, it gave us a hint that the author might be in a different time zone since the reply came back late at night (which could be morning for them). Also, on the first response the author said “June 1st<\/sup> midnight on your local time<\/em>”. They may have noticed the time difference when we emailed them.<\/p>\n

To verify the geolocation of the malware author(s) of this ransomware, we took a look at the original STMP header and found that the time zone they are in is GMT – 4.<\/p>\n

\"\"<\/p>\n

Figure 4: SMTP header<\/p>\n

Behavioural Analysis<\/h1>\n

Next, we began to examine the malware itself. Below are the features that the author claimed for the ransomware. We take a look at the code to see if it conformed with these features.<\/p>\n

\"\"<\/p>\n

Figure 5: MacRansom Features<\/p>\n

Running the MacRansom sample, a prompt showed up stating the program is from an unidentified developer. So as long as users don’t open suspicious files from unknown developers, they are safe. Clicking Open<\/em> gives permission for the ransomware to run.<\/p>\n

 <\/p>\n

Anti-analysis<\/h2>\n

The first thing the ransomware does is to check if the sample is being run in a non-Mac environment or if it is being debugged. If these conditions are not met, the ransomware terminates.<\/p>\n

It calls the ptrace<\/tt> or process trace command with the argument PT_DENY_ATTACH <\/tt>to check and see if the ransomware is attached to a debugger.<\/p>\n

\"\"<\/p>\n

Figure 6: Ptrace command<\/p>\n

Second, by using the sysctl hw.model<\/tt> command it checks the machine model and compares it to “Mac” string.<\/p>\n

\"\"<\/p>\n

Figure 7: Model check<\/p>\n

Lastly, it checks if the machine has two CPU’s.<\/p>\n

\"\"<\/p>\n

Figure 8: Check for logical CPUs<\/p>\n

 <\/p>\n

Launch Point<\/h2>\n

Once it has passed its initial checks, the ransomware creates a launch point in ~\/LaunchAgent\/com.apple.finder.plist.<\/tt> The filename intentionally imitates a legitimate file in Mac OS to lessen suspicion of malicious activities. This launch point allows MacRansom to run at every start up and ensure that it encrypts on the specified trigger time<\/tt>.<\/p>\n

Contents of com.apple.finder<\/tt>:<\/p>\n

\"\"<\/p>\n

The original executable is then copied to ~\/Library\/.FS_Store.<\/tt> Again the filename is very similar to a legitimate file. After the file is copied, the time date stamp is changed by using the command touch -ct 201606071012 '%s'<\/tt>. The manipulation of the time date stamp is commonly used to confuse investigators when it comes to digital forensics.<\/p>\n

The ransomware then uses launchctl <\/tt>to load the created com.apple.finder.plist<\/tt>.<\/p>\n

 <\/p>\n

Encryption<\/h2>\n

As mentioned, the encryption has a trigger time<\/tt>, which is set by the author. For our case, it was at June 1st<\/sup> 2017 at 12am. The ransomware terminates if the date is before this.<\/p>\n

\"\"<\/p>\n

Figure 9: Trigger time check<\/p>\n

If the trigger time<\/tt> is met, the ransomware starts to enumerate the targeted files by using the command shown below. This is an unusual way for a ransomware to enumerate files but is still effective since most ransomware traverses directories and includes a list of targeted extensions to encrypt.<\/p>\n

%s – is the file path of the ransomware<\/p>\n

\"\" <\/p>\n

Figure 10: File enumeration<\/p>\n

The ransomware only encrypts a maximum of 128 files, returned by the command stated above.<\/p>\n

As with other crypto-ransomware, the encryption algorithm is the core component that we spent most of our analysis time on. Our goal was to find any RSA-crypto routine, however this piece of crypto-ransomware is not as sophisticated as other OSX crypto-ransomware that have been previously disclosed. It uses a symmetric encryption with a hardcoded key to hijack the victim’s files. There are two sets of symmetric keys used by the ransomware:<\/p>\n