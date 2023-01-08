Microsoft has made light on four different ransomware families: KeRangerFileCoder, MacRansom and EvilQuest, which are known to negatively impact Apple’s MacOS systems.

“While these malware families are old, they exemplify the range of capabilities and potential malicious behavior on the platform [di casa Apple]“said the tech giant’s Security Threat Intelligence team in a report on Thursday.

The initial vector for these families of ransomware involves what the Windows manufacturer calls “user assisted methods”, in which the victim downloads and installs trojan applications, nothing else would be the classic “social engineering” seen before (see the case trojaned Windows 10 installers).

Alternatively, the trojan can also arrive as a second-stage payload delivered by malware that already exists on the infected host or as part of an attack on supply chains.

Regardless of the modus operandi employed, attacks proceed similarly, with attackers relying on legitimate operating system features and exploiting vulnerabilities to penetrate systems and encrypt affected files (see “attacks” Ransomware).

This includes using the Unix utility find as well as library functions like opendir, readdir and closedir to enumerate files. Another method touched upon by Microsoft, but not adopted by ransomware strains, involves the interface NSFileManager Objective-C.

KeRanger, MacRansom, and EvilQuest have been seen to use a series of hardware- and software-based cross-checks to determine if malware is running in a virtual environment in an effort to resist analysis and debugging attempts.

KeRanger, in particular, uses a technique known as delayed execution (delayed execution) to escape detection. It achieves this by going into a kind of standby for three days at its launch before kicking off its malicious functions.

Persistence (the fact that it continuously “activates”, typical of viruses and malware), is essential to ensure that the malware runs even after a system reboot, it is established by startup agents and kernel queues, Microsoft said in one its official documentation.

While FileCoder uses the ZIP utility to encrypt files, KeRanger uses encryption AES extension in cipher block chaining mode (CBC extension) to achieve its goals; while MacRansom and EvilQuest, on the other hand, take advantage of an algorithm of symmetric encryption.

EvilQuest, that is discovery for the first time in July 2020, it goes beyond typical ransomware to incorporate other trojan-like features, such as keylogging, compromising Mach-O files by injecting malicious code, and disabling security software.

It also includes functionality to execute any file directly from memory (from RAM which is volatile memory), leaving no trace of the payload on the hard disk.

“Ransomware continues to be one of the most widespread and impactful threats affecting [varie] organizations, with bad actors constantly evolving their techniques and expanding their work to have a wider network of potential targets“said Microsoft.

Why does Microsoft “help” Apple?

Not many are aware of it, but Microsoft has literally saved Apple in a critical period; after all, if at first MS “combated” its adversaries (like the war against open source in the early days), in a second it became a “benefactress”.

In the video above (in English), you can see how Microsoft actually saved Apple; for those who don’t speak English, there are a series of articles on the internet, such as thiswhich explain the matter very well.

It must be said that in the end the matter is a little mythicized, the video below (always in English), in fact tells other details of the Microsoft-Apple relationship.