Malware in the official version of Transmission. The first known extortioner Trojan for Mac.
In the official version of the open source torrent client Transmission 2.90 for Mac, the malware OSX.KeRanger.A has been detected . It was first noticed by Russian Mac users, who in the morning of March 5 raised an alarm on the Transmission forum.
The presence of the malware on the official website of Transmission was confirmed by others. The installer is signed with a third-party key, which may indicate unauthorized access to the Transmission server. At the same time, the attackers used a valid certificate from Apple Developer, so Gatekeeper in OS X had no reason to display warning messages. Now the certificate has been revoked.
Malicious certificate ID -
')
On March 6, security experts from Palo Alto Networks published a technical analysis of the OSX.KeRanger.A malware, although they did not manage to understand how it got on the official website of Transmission.
It is reported that the infection of two .DMG installers at the offsite occurred on the morning of March 4 at about 11:00 PST. Spread of infected files continued until March 5, 19:00 PST.
OSX.KeRanger.A is the first viable ransomware trojan under OS X. After installation in the / Users // Library / kernel_service folder (
After three days, the Trojan begins to encrypt 300 documents in certain formats on the computer; upon completion of the process, it requires the user to purchase 1 Bitcoin for their decryption. Money should be transferred to the address 1PGAUBqHNcwSHYKnpHgzCrPkyxNxvsmEof.
Experts put forward a version that KeRanger is still in development: the code has unused functions called
Apple has revoked the attacker's certificate. On March 5, Transmission developers deleted infected files from the server and have already released version Transmission 2.92 , which checks the computer for OSX.KeRanger.A infection.
PS Samples of infected Transmission installers see here.
The presence of the malware on the official website of Transmission was confirmed by others. The installer is signed with a third-party key, which may indicate unauthorized access to the Transmission server. At the same time, the attackers used a valid certificate from Apple Developer, so Gatekeeper in OS X had no reason to display warning messages. Now the certificate has been revoked.
Malicious certificate ID -
')
On March 6, security experts from Palo Alto Networks published a technical analysis of the OSX.KeRanger.A malware, although they did not manage to understand how it got on the official website of Transmission.
It is reported that the infection of two .DMG installers at the offsite occurred on the morning of March 4 at about 11:00 PST. Spread of infected files continued until March 5, 19:00 PST.
OSX.KeRanger.A is the first viable ransomware trojan under OS X. After installation in the / Users // Library / kernel_service folder (
General.rtf file), it waits for three days, pinging the management server via the Tor network every five minutes.After three days, the Trojan begins to encrypt 300 documents in certain formats on the computer; upon completion of the process, it requires the user to purchase 1 Bitcoin for their decryption. Money should be transferred to the address 1PGAUBqHNcwSHYKnpHgzCrPkyxNxvsmEof.
Experts put forward a version that KeRanger is still in development: the code has unused functions called
_create_tcp_socket , _execute_cmd and _encrypt_timemachine . Probably, the authors of the malware are working on encrypting the Time Machine backup as well.Apple has revoked the attacker's certificate. On March 5, Transmission developers deleted infected files from the server and have already released version Transmission 2.92 , which checks the computer for OSX.KeRanger.A infection.
PS Samples of infected Transmission installers see here.
Source: https://habr.com/ru/post/357534/
All Articles