The malware then begins encrypting certain types of document and data files on the system. KeRanger then waits for for three days before connecting with command and control (C2) servers over the Tor anonymizer network. If a user installs the infected apps, an embedded executable file is run on the system. It currently supports Windows, Mac OS X, Linux and Unix.Figure 1 KeRanger hosted in Transmission's official websiteThe KeRanger application was signed with a valid Mac app development certificate therefore, it was able to bypass Apple’s Gatekeeper protection. Azureus is a Java based BitTorrent client, with support for I2P and Tor anonymous communication protocols. It’s possible that Transmission’s official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred.Transmission is free to download and use on any machine running Mac OS X 10.4.11 or later.
![]() ![]() ![]() Torrent Client Download And UseAs of March 5, Transmission Project has removed the malicious installers from its website.We have also updated URL filtering and Threat Prevention to stop KeRanger from impacting Palo Alto Networks customers. Apple has also updated XProtect signatures to cover the family, and the signature has been automatically updated to all Mac computers now. Apple has since revoked the abused certificate, and Gatekeeper will now block the malicious installers. If these backup files are encrypted, victims would not be able to recover their damaged files using Time Machine.Figure 11 Function "_encrypt_timemachine" is implemented but not used yet MitigationsWe reported the issue to the Transmission Project and to Apple immediately after we identified it. Our analysis suggests the attacker may be trying to develop backdoor functionality and encrypt Time Machine backup files as well. Some of them have been finished but are not used in current samples. If any of these exist, the Transmission application is infected and we suggest deleting this version of Transmission. Using either Terminal or Finder, check whether /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist. Users of older versions of Transmission do not appear to be affected as of now.We suggest users take the following steps to identify and remove KeRanger holds their files for ransom: If the Transmission installer was downloaded earlier or downloaded from any third party websites, we also suggest users perform the following security checks. Adove image viewer for macWe suggest terminating it with “Quit -> Force Quit”. If so, the process is KeRanger’s main process. If so, double check the process, choose the “Open Files and Ports” and check whether there is a file name like “/Users//Library/kernel_service” (Figure 12). You should eject the disk image.” In any case if you see these warnings, we suggest to follow Apple’s instruction to avoid being affected. You should move it to the Trash.” Or “Transmission can’t be opened. If so, you should delete them.Figure 12 The malicious "kernel_service" processSince Apple has revoked the abused certificate and has updated XProtect signatures, if a user tries to open a known infected version of Transmission, a warning dialog will be shown that states “Transmission.app will damage your computer.
0 Comments
Leave a Reply. |
AuthorChristina ArchivesCategories |