|Added to Dr.Web virus database:||2016-03-09|
|Virus description was added:||2016-03-11|
- fd1f246ee9effafba0811fd692e2e76947e82687 (upx)
- 689cf98c54357d90527a38d922412c04a7107a89 (unpacked)
A ransomware Trojan for OS X first detected in a compromised version of the installer for a popular OS X torrent client that was distributed as a DMG file. The malicious application was signed with a valid Mac app development certificate. Thus, this program successfully bypassed Apple’s Gatekeeper protection. It can operate with the help of either user or root privileges. Once the Trojan is launched, it deletes its original file and creates the following ones:
- ~/Library/.kernel_pid—contains the process PID of the Trojan;
- ~/Library/.kernel_time—contains the time value the Trojan is first launched (in three days, the Trojan starts encrypting files);
- ~/Library/.kernel_complete—contains the “do not touch this\n” line. It is created if files are successfully encrypted.
In three days, the Trojan connects to one of three C&C servers via the TOR network and sends a request that looks as follows:
- hw_model—device model;
- hwid—the value that is obtained by creation of SHA256 hash from the IOPlatformUUID and IOPlatformSerialNumber values.
The server replies with two lines that are encoded with Base64 and contain a public RSA key and a file with cybercriminals’ demands.
Data is encrypted by using the AES-CBC-256 algorithm.
The Trojan first encrypts the files in the “/Users” folder except ones that were created by the malware program such as ".encrypted", "README_FOR_DECRYPT.txt", ".kernel_pid", ".kernel_time”, and ".kernel_complete".
Files under “/Volumes” are encrypted according to the Trojan’s list that contains 313 different file extensions.
Once a file is encrypted, the malware specifies the date of the file creation and modifications that it had before the encryption. In addition, the Trojan restores previous access privileges.
The malware’s key feature lies in the fact that it appends all encrypted files with the “.encrypted” extension and plants the “README_FOR_DECRYPT.txt” file into all directories.
Doctor Web security researchers have developed a new technique that, in most cases, can help decrypt files compromised by the malware.