Connect with us

Hi, what are you looking for?

Cyber Security

First-Ever Ransomware Found to be Attacking macOS

LockBit ransomware gang targets Macs with its newly-developed encryptors for the first time, making them potentially the first significant ransomware group to aim at macOS.

Ransomware attacks are widespread. However, creating malware versions for targeting Macs by attackers is uncommon.

Apple computers, although widely used, have a lower presence compared to other platforms like:-

  • Windows
  • Linux

MalwareHunterTeam first detected samples of ransomware encryptors in VirusTotal’s malware analysis repository between November and December 2022.

In a recent tweet, MalwareHunterTeam discussed a new LockBit ransomware variant targeting macOS.

https://twitter.com/malwrhunterteam/status/1647384505550876675?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1647384505550876675%7Ctwgr%5Ed3230bb7763b075fecf19d1755d6d78726352ccf%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fcybersecuritynews.com%2Ffirst-ever-ransomware%2F

LockBit developed an encryptor version for newer Apple processor-based and older Macs that used Apple’s PowerPC chips. 

Technical Analysis

MalwareHunterTeam discovered a ZIP archive on VirusTotal that seemingly includes the majority of available LockBit encryptors.

LockBit operations traditionally employ encryptors created for targeting:-

Apart from this, a specific encryptor called ‘locker_Apple_M1_64’ is aimed at encrypting newer macOS with Apple Silicon.

During the analysis of the LockBit encryptor by the researchers at Objective See for Apple M1, experts discovered misplaced strings that suggest it was rashly assembled as a test and not intended for macOS encryption.

Multiple references to VMware ESXi were found in the Apple M1 encryptor, which is odd since VMware had previously declared that it would not be backing the CPU architecture.

Using the codesign utility, it was determined that the encryptor was signed in an “ad-hoc” manner instead of an Apple Developer ID

As a result, macOS would prevent it from running if downloaded onto a system by attackers, which was confirmed by the “invalid signature” message shown by the spctl utility.

The locker_Apple_M1_64 is an arm64 binary that benefits from having its symbols left unstripped, making it more streamlined.

The encryptor excludes 65 Windows file extensions and folders from encryption, specified by their filenames.

Here’s What Patrick Wardle of Objective See Stated:-

“The macOS encryptor is a compiled version of the Linux-based encryptor with basic configuration settings. However, upon launching, it crashes due to a buffer overflow bug in the code.”

Although macOS is now on their radar, the encryptor is not yet ready for deployment as it only has basic configuration flags added during compilation for macOS.

Before it can function as an encryptor, the LockBit developer needs to bypass TCC and obtain notarization.

However, LockBitSupp, the public face of LockBit, stated that the Mac encryptor is currently under active development.

Advertisement. Scroll to continue reading.

Although it is unclear how useful the macOS encryptor would be in enterprise environments, LockBit affiliates targeting small businesses and consumers may find it more useful.

Copyright 2021 Associated Press. All rights reserved.

Source: https://cybersecuritynews.com/first-ever-ransomware/

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

In recent findings from Check Point Research, a significant phishing attack targeting more than 40 prominent Colombian companies has been uncovered.  The attackers behind this campaign...

Cyber Security

According to recent reports, a threat actor has compromised the confidential information of 3,200 Airbus vendors. The exposed data includes sensitive details such as...

Cyber Security

A group of Researchers unearthed critical code Proton Mail vulnerabilities that could have jeopardized the security of Proton Mail, a renowned privacy-focused webmail service. ...

Cyber Security

Telegram Messenger offers global, cloud-based instant messaging with several features:- Cybersecurity researchers at Securlist recently found several Telegram mods on Google Play in various...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO