Mac OS X Ransomware KeRanger Is Linux Encoder Trojan


So there’s been a fair bit of noise this past week about the Mac OS X Ransomware, the first of its’ kind called KeRanger. It also happens to be the first popular Mac malware of any form for some time.

It’s also a lesson to all the Apple fanbois that their OS is not impervious and this was bundled with legit software (Transmission) and bypassed the Gatekeeper protection as it was signed with a legit cert.

Mac OS X Ransomware KeRanger

It turns out, basically it’s just the Linux Encoder Trojan (the first Linux ransomware trojan) re-purposed for Macs, as well OS X is a *nix variant based on OpenBSD with a fancy window manager.

The world’s first fully functional OS X ransomware, KeRanger, is really a Mac version of the Linux Encoder Trojan, according to new research from Romanian security software firm Bitdefender.

The infected OS X torrent update carrying KeRanger looks virtually identical to version 4 of the Linux Encoder Trojan that has already infected thousands of Linux servers this year.

KeRanger spread via an infected version of an otherwise legitimate open source BitTorrent application, Transmission. The tainted version (2.90) was available for download between March 4 and March 5, 2016 and came signed with a legitimate developer certificate.

Apple’s OS X ships with a security feature called Gatekeeper, allowing users to restrict which sources they can install applications from in order to minimize the likelihood of deploying a malicious app. The default setting allows users to install applications from the Mac App Store or applications that are digitally signed by a developer.

By using a developer certificate to sign their wares, the crooks behind KeRanger were able to circumvent Apple’s GateKeeper control. Apple has since revoked the misused certificate, which was issued to a Turkish firm, so the immediate panic is over.

However, similar attacks along the same lines might easily re-appear, so merely disallowing unsigned software from running on Macs is no defense.


It’s a pretty nasty form of cyber-bullying, and well as we wrote before, if you do get hit there’s not a lot you can do. Even the FBI Recommends Crypto Ransomware Victims Just Pay.

The developer cert used to sign the dodgy version of Tranmission has been revoked, but it just goes to show the system is not flawless and this could easily happen again.

KeRanger isn’t the first Mac malware with the capability to circumvent Gatekeeper. For example, three years ago the same trick was used in a trojan (KitM.A) found on computers belonging to Angolan civil rights activists, Bitdefender reports.

“Once the infected installer is executed, the Trojan connects to the command and control centers via TOR and retrieves an encryption key,” explained Catalin Cosoi, chief security strategist at Bitdefender.

“After encryption finishes, the KeRanger ransomware creates a file called README_FOR_DECRYPT.txt, which holds the information on how the victim should pay the ransom. The encryption functions are identical to those deployed by the Linux Encoder Trojan and have the same names.”

Six months ago, only Windows and Android smartphone users needed to worry about ransomware, but that has changed more recently so that Linux server admins and even Mac users need to be wary of potential attack. Windows remains the target of the greatest number of different ransomware strains and the main locus of the problem, as it is for other types of malware.

The developers behind the Linux Encoder malware have either expanded to OS X or have licensed their code to a cybercrime group specializing in OS X attacks, according to Bitdefender.

I’m pretty sure no one reading this site will get caught out by this kind of thing, but if you did well that mistake is gonna cost you over $400USD.

Be wary, and do inform your Apple loving friends and family members that the bad guys feel like it’s worth targeting them now, the free-love, no anti-virus party is over.

Source: The Register

Posted in: Apple, Malware

, , ,


Latest Posts:


Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.
Vulhub - Pre-Built Vulnerable Docker Environments For Learning To Hack Vulhub – Pre-Built Vulnerable Docker Environments For Learning To Hack
Vulhub is an open-source collection of pre-built vulnerable docker environments for learning to hack. No pre-existing knowledge of docker is required, just execute two simple commands.
LibInjection - Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) LibInjection – Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS)
LibInjection is a C library to Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) through lexical analysis of real-world Attacks.
Grype - Vulnerability Scanner For Container Images & Filesystems Grype – Vulnerability Scanner For Container Images & Filesystems
Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based OS.
APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.


Comments are closed.