{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/os-x/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Transmission.app","OS X","EasyDoc Convertor"],"_cs_severities":["high"],"_cs_tags":["macos","malware","ransomware","backdoor"],"_cs_type":"advisory","_cs_vendors":["Apple","PaloAlto Networks","ESET","BitDefender"],"content_html":"\u003cp\u003eIn 2016, several new malware families emerged targeting macOS. This brief examines KeRanger, Keydnap, and Eleanor, detailing their unique characteristics. KeRanger, discovered in March 2016, was the first fully functional ransomware for macOS, distributed via a compromised Transmission application. Keydnap, found in July 2016, is a backdoor and credential stealer that also leveraged a compromised Transmission installer. Eleanor, also appearing in July 2016, is a PHP-based backdoor disguised as a fake application called \u0026ldquo;EasyDoc Convertor\u0026rdquo;. These threats highlight the increasing sophistication of macOS malware and the importance of maintaining updated security measures. The compromised Transmission applications underscore supply chain vulnerabilities affecting even legitimate software sources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access (KeRanger \u0026amp; Keydnap):\u003c/strong\u003e Users download a trojanized version of Transmission.app from the official Transmission website, which was compromised by attackers.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution (KeRanger):\u003c/strong\u003e The modified Transmission application executes a malicious Mach-O binary (General.rtf renamed to kernel_service) embedded within the application bundle.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution (Keydnap):\u003c/strong\u003e The modified Transmission application executes a malicious binary (License.rtf). Alternatively, users may execute a file named screenshot.jpg with a space at the end, triggering execution via Terminal.app.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (Keydnap):\u003c/strong\u003e Keydnap installs two launch agents: \u003ccode\u003ecom.apple.iCloud.sync.daemon\u003c/code\u003e to execute the backdoor component \u003ccode\u003eicloudsyncd\u003c/code\u003e, and \u003ccode\u003ecom.geticloud.icloud.photo\u003c/code\u003e to run a Tor2Web proxy (\u003ccode\u003eicloudproc\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Keydnap):\u003c/strong\u003e The \u003ccode\u003eicloudsyncd\u003c/code\u003e binary attempts to elevate privileges by prompting the user for access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration (Keydnap):\u003c/strong\u003e The \u003ccode\u003eicloudsyncd\u003c/code\u003e binary dumps credentials and sensitive information from the keychain using code from the open-source \u003ccode\u003ekeychaindump\u003c/code\u003e project, and communicates with its C2 server via the Tor2Web proxy.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEncryption (KeRanger):\u003c/strong\u003e KeRanger encrypts files under \u003ccode\u003e/Users/*\u003c/code\u003e and \u003ccode\u003e/Volumes/*\u003c/code\u003e that match predefined extensions (e.g., .docs, .jpgs, .zips, .cpp).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRansom Demand (KeRanger):\u003c/strong\u003e KeRanger creates a plaintext readme file in each directory where files were encrypted, providing instructions to the user on how to pay the ransom.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe compromise of the Transmission application exposed an unknown number of macOS users to ransomware and backdoors. KeRanger\u0026rsquo;s ransomware capabilities could result in significant data loss and financial extortion. Keydnap\u0026rsquo;s credential-stealing functionality could compromise user accounts and sensitive data. Eleanor allows attackers to remotely administer the infected machine.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Gatekeeper and keep XProtect signatures up to date on macOS to prevent execution of unsigned or known malicious applications. (Reference: KeRanger disinfection instructions)\u003c/li\u003e\n\u003cli\u003eMonitor for the creation of launch agents with suspicious names or associated binaries in \u003ccode\u003e/Library/LaunchAgents\u003c/code\u003e or \u003ccode\u003e~/Library/LaunchAgents\u003c/code\u003e. Deploy the Sigma rule for suspicious launch agent creation.\u003c/li\u003e\n\u003cli\u003eMonitor for network connections to Tor2Web proxies, especially from unusual processes. Block known Tor exit nodes at the firewall. (Reference: Keydnap description of Tor2Web usage)\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect execution of binaries with a trailing space in their filename, a technique employed by Keydnap.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:23:00Z","date_published":"2024-01-03T18:23:00Z","id":"/briefs/2024-01-mac-malware-2016/","summary":"Analysis of Mac malware from 2016 including KeRanger ransomware, Keydnap backdoor and credential stealer, and the Eleanor PHP-based backdoor, highlighting their infection vectors and persistence mechanisms.","title":"Mac Malware Analysis of 2016: KeRanger, Keydnap, and Eleanor","url":"https://feed.craftedsignal.io/briefs/2024-01-mac-malware-2016/"}],"language":"en","title":"CraftedSignal Threat Feed — OS X","version":"https://jsonfeed.org/version/1.1"}