New First OS X Ransomware Appears: Threat for Mac

by March 11, 2016 0 comments

Earlier eScan predictions threat for 2016 which proved to be correct! As they have stated, “Ransomware creators would be looking to target new operating system such as Mac”, now they can see a new Ransomware known as KeRanger (Trojan.MAC.KeRangerRansom.A) was detected on Mac OS X by eScan researchers. The Ransomware was distributed by popular Bit Torrent client called Transmission for OS X users who downloaded Transmission on March 4 and March 5 2016.

How does the Trojan Work?

According to eScan research team, Windows Ransomware enters the system with word files as attachment. However, in this scenario, the cyber-criminals hacked the most popular Bit Torrent client and created a fake version number 2.90 and published it in Transmissions official website.

Infected Transmission installers include an extra file General.rtf, which looks like a regular OX executable file but is actually a Mach-O format executable. Mach-O is a file format for executables, object code, shared libraries for OS X, Mach Kernel systems. The file gets executed because the KeRanger application was signed with a valid Mac app development certificate.

As a result it could bypass Apple’s Gatekeeper protection and it changes the entries in Kernel following which it encrypts the files along with wide range of extensions such as *.zip, *.doc, *.jpg, *.mp3, .db etc. and it also encrypts the file found in users directory and its associated subdirectories. The Malware connects to CnC server through Tor anonymiser network and downloads the payload, following which it displays a ransom note demanding victims to pay a bitcoin to retrieve their files.

If you happen to download Transmission installer from their official website from March 4 to March 5 2016 you might have been infected by the Malware.

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.