Attacker Constantly Improve Their Attack Method
Posted by , 11-01-2023
Microsoft covers four different ransomware families, KeRanger, FileCoder, MacRansom, and EvilQuest, which are known to affect Apple macOS systems.
“Though these malware families are older, they demonstrate the breadth of functionality and malicious behavior possible on their platforms,” said the technology giant`s security threat intelligence team in a report Thursday.
The original vector of these ransomware families involves what Windows manufacturers call "user-assisted methods," in which victims download and install Trojanized applications.
Alternatively, it could arrive as a second-stage payload dropped by existing malware on an infected host, or as part of a supply chain attack.The original vector of these ransomware families involves what Windows manufacturers call "user-assisted methods," in which victims download and install Trojanized applications.
KeRanger, MacRansom, and EvilQuest also use a combination of hardware- and software-based checks to determine if malware is running in a virtual environment and have been found to resist analysis and debugging attempts.
FileCoder uses the ZIP utility to encrypt files, while KeRanger uses AES encryption in Cipher Block Chaining (CBC) mode to achieve its goal.
On the other hand, MacRansom and EvilQuest both use symmetric encryption algorithms.
First discovered in July 2020, EvilQuest goes beyond typical ransomware to perform like other Trojans, including keylogging, compromising Mach-O files with arbitrary code injection, and disabling security software.
It also includes the ability to execute arbitrary files directly from memory, leaving few traces of the payload on disk.