{"id":8261,"date":"2023-01-06T15:40:43","date_gmt":"2023-01-06T15:40:43","guid":{"rendered":"https:\/\/reconcybersecurity.com\/?p=8261"},"modified":"2023-04-16T10:41:27","modified_gmt":"2023-04-16T10:41:27","slug":"microsoft-discloses-methods-utilized-by-four-ransomware-clans-that-have-been-attacking-macos-devices-recon-cyber-security-cyber-security","status":"publish","type":"post","link":"https:\/\/reconcybersecurity.com\/blogs\/microsoft-discloses-methods-utilized-by-four-ransomware-clans-that-have-been-attacking-macos-devices-recon-cyber-security-cyber-security\/","title":{"rendered":"Microsoft discloses methods utilized by four ransomware clans that have been attacking macOS devices. | RECON CYBER SECURITY"},"content":{"rendered":"\n<p class=\"has-black-color has-text-color has-medium-font-size\"><strong><a href=\"https:\/\/reconcybersecurity.com\/could-hoaxshell-create-a-hidden-windows-reverse-shell\/\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">Microsoft<\/mark><\/a><\/strong> recently revealed four strains of ransomware targeting <a href=\"https:\/\/reconcybersecurity.com\/apple-has-finally-added-encryption-to-its-icloud-backups\/\"><strong><mark style=\"background-color:rgba(0, 0, 0, 0);color:#ff0e0e\" class=\"has-inline-color\">Apple macOS<\/mark><\/strong><\/a> systems &#8211; KeRanger, FileCoder, MacRansom, and EvilQuest. These malware variants showcase the range of malicious activity that can occur on macOS. According to Microsoft&#8217;s Security Threat Intelligence team, these viruses are typically transmitted through user-assisted methods such as trojanized applications, or even as a second-stage payload dropped by existing malware or during a supply chain attack. Such an insidious approach serves to further highlight the need for secure protection and vigilance when downloading from unverified sources.<\/p>\n\n\n\n<p class=\"has-black-color has-text-color has-medium-font-size\">To infiltrate systems and encrypt important files, the threat actors behind <a href=\"https:\/\/reconcybersecurity.com\/how-to-protect-yourself-from-ransomware-cyber-security-recon-cyber-security\/\"><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">ransomware<\/mark><\/strong><\/a> campaigns utilize several tactics. One common approach is to exploit vulnerabilities while making use of pre-existing operating system components such as Unix&#8217;s find utility and library functions like opendir, readdir, and closedir to identify key documents. Microsoft has further highlighted the NSFileManager Objective-C interface; however, malicious strains such as KeRanger, MacRansom, and EvilQuest generally evade this option by employing both hardware- and software-based tests to ascertain if their code is being run on a virtual environment or not, thereby curbing debugging efforts.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/reconcybersecurity.com\/wp-content\/uploads\/2023\/01\/recon.png\" alt=\"\" class=\"wp-image-8262\"\/><\/figure>\n\n\n\n<p class=\"has-black-color has-text-color has-medium-font-size\">Noted for its use of delayed execution, KeRanger evades detection by first sleeping for three days and then initiating <a href=\"https:\/\/reconcybersecurity.com\/could-linux-systems-that-use-shc-be-at-risk-of-a-new-malware-strain-targeting-their-cryptocurrency-miners-cyber-security-recon-force\/\"><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-purple-color\">malicious<\/mark><\/strong><\/a> functions. For maintaining persistence even after a system restart, the ransomware makes use of launch agents and kernel queues as explained by Microsoft. Compared to FileCoder, which relies on ZIP to encrypt files, KeRanger employs the Advanced Encryption Standard (AES) with Cipher Block Chaining (CBC). Both MacRansom and EvilQuest apply symmetric encryption algorithms while EvilQuest is equipped with an array of<a href=\"https:\/\/reconcybersecurity.com\/how-to-create-a-trojan-virus-in-windows\/\"><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-orange-color\"> Trojan-like <\/mark><\/strong><\/a>characteristics. These include keylogging, infecting Mach-O files by injecting arbitrary code, disabling the security software, and running payloads from memory without leaving any traces on the disk.<\/p>\n\n\n\n<p class=\"has-black-color has-text-color has-medium-font-size\"><em>Ransomware continues to be a significant issue that impacts many organizations. <a href=\"https:\/\/reconcybersecurity.com\/\"><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Attackers<\/mark><\/strong><\/a> are constantly innovating their strategies, allowing them to widen their attack base and inflict more damage. Microsoft warned of these evolving tactics.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"Microsoft recently revealed four strains of ransomware targeting Apple macOS systems &#8211; KeRanger, FileCoder, MacRansom, and EvilQuest. These&hellip;\n","protected":false},"author":1,"featured_media":10764,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[241],"tags":[240,358,359,360,361,311],"class_list":{"0":"post-8261","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-it-knowledge","8":"tag-cyber-security","9":"tag-microsoft","10":"tag-microsoft-attacks","11":"tag-microsoft-methods","12":"tag-microsoft-ransomeware","13":"tag-recon-cyber-security"},"_links":{"self":[{"href":"https:\/\/reconcybersecurity.com\/blogs\/wp-json\/wp\/v2\/posts\/8261","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/reconcybersecurity.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/reconcybersecurity.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/reconcybersecurity.com\/blogs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/reconcybersecurity.com\/blogs\/wp-json\/wp\/v2\/comments?post=8261"}],"version-history":[{"count":2,"href":"https:\/\/reconcybersecurity.com\/blogs\/wp-json\/wp\/v2\/posts\/8261\/revisions"}],"predecessor-version":[{"id":10765,"href":"https:\/\/reconcybersecurity.com\/blogs\/wp-json\/wp\/v2\/posts\/8261\/revisions\/10765"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/reconcybersecurity.com\/blogs\/wp-json\/wp\/v2\/media\/10764"}],"wp:attachment":[{"href":"https:\/\/reconcybersecurity.com\/blogs\/wp-json\/wp\/v2\/media?parent=8261"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/reconcybersecurity.com\/blogs\/wp-json\/wp\/v2\/categories?post=8261"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/reconcybersecurity.com\/blogs\/wp-json\/wp\/v2\/tags?post=8261"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}