Tactics of Four Ransomware Targeting macOS

Probing the macOS threats

• The initial vector for all these malware is a user-assisted method, where the victim downloads and installs trojanized apps. 
• Further, the malware can arrive as a second-stage payload dropped by existing malware as part of a supply chain attack.
• Irrespective of the initial attack vector, the attackers rely on genuine OS features for later stages and abuse flaws to break into the systems and encrypt files.

Insights into tactics used

• File Enumeration: FileCoder and MacRansom use Unix find utility, while  KeRanger and EvilQuest use other library functions such as readdir, closedir, and opendir to access and organize files. 
• Analysis evasion: KeRanger employs the delayed execution technique, where post-infection, it stays silent for three days to escape detection. MacRansom, EvilQuest, and KeRanger use a combination of hardware- and software-based checks to find out if the malware is running in a virtual environment to resist analysis.
• Encryption: FileCoder uses the ZIP utility to encrypt files, while KeRanger uses AES encryption in Cipher block chaining mode. MacRansom and EvilQuest use custom symmetric algorithms for file encryption. Further, EvilQuest has trojan-like features, such as keylogging and compromising Mach-O files by injecting arbitrary code.

Closing thoughts