Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Desktops (Apple) Privacy Apple Technology

New Mac Ransomware Is Even More Sinister Than It Appears (wired.com) 49

An anonymous reader quotes a report from Wired: The threat of ransomware may seem ubiquitous, but there haven't been too many strains tailored specifically to infect Apple's Mac computers since the first full-fledged Mac ransomware surfaced only four years ago. So when Dinesh Devadoss, a malware researcher at the firm K7 Lab, published findings on Tuesday about a new example of Mac ransomware, that fact alone was significant. It turns out, though, that the malware, which researchers are now calling ThiefQuest, gets more interesting from there. In addition to ransomware, ThiefQuest has a whole other set of spyware capabilities that allow it to exfiltrate files from an infected computer, search the system for passwords and cryptocurrency wallet data, and run a robust keylogger to grab passwords, credit card numbers, or other financial information as a user types it in. The spyware component also lurks persistently as a backdoor on infected devices, meaning it sticks around even after a computer reboots, and could be used as a launchpad for additional, or "second stage," attacks. Given that ransomware is so rare on Macs to begin with, this one-two punch is especially noteworthy.

Though ThiefQuest is packed with menacing features, it's unlikely to infect your Mac anytime soon unless you download pirated, unvetted software. Thomas Reed, director of Mac and mobile platforms at the security firm Malwarebytes, found that ThiefQuest is being distributed on torrent sites bundled with name-brand software, like the security application Little Snitch, DJ software Mixed In Key, and music production platform Ableton. K7's Devadoss notes that the malware itself is designed to look like a "Google Software Update program." So far, though, the researchers say that it doesn't seem to have a significant number of downloads, and no one has paid a ransom to the Bitcoin address the attackers provide. [...] Given that the malware is being distributed through torrents, seems to focus on stealing money, and still has some kinks, the researchers say it was likely created by criminal hackers rather than nation state spies looking to conduct espionage.

This discussion has been archived. No new comments can be posted.

New Mac Ransomware Is Even More Sinister Than It Appears

Comments Filter:
  • Today is backup day (Score:5, Interesting)

    by raymorris ( 2726007 ) on Thursday July 02, 2020 @08:28AM (#60253806) Journal

    Today sounds like a good day to test my backups.
    Maybe you'll want to test yours today. (And Time Machine on the same disk wiped by ransomware or disk failure is not a backup).

    Good backups are:
    Automated
    Off-site
    Pull, not push (a machine can't overwrite the backup of itself)
    Rotated (you have backups from multiple times)
    Tested!

    The majority of small businesses who think they have backups running actually don't. They haven't tested in years, so don't know it stopped working 9 months ago.

    • Comment removed based on user account deletion
      • You are not limited to one selection from that list.
      • by raymorris ( 2726007 ) on Thursday July 02, 2020 @09:45AM (#60254014) Journal

        You bring up a good point. The remote account and/or mechanism should be able to read, not write.

        There are various ways to set up a read-only account.
        On Linux, you can use rrsync -ro in the .authorized_keys, you can use setcap cap_dac_read_search+ep for SELinux to enforce read-only, you can use rsyncd and tunnel, etc. You can use read-only snapshots by LVM, etc. Lots and lots of ways to do it on Linux.

        On Windows you'd typically have a backup operators AD group.

        What a lot of people do is the local machine is backed up to a local network drive (NAS) every day or even four times a day. It may be encrypted at that stage. The remote backup pulls from NAS each night or each week. The remote only has access to NAS, not to each workstation. Of course read access to the NAS.

        That gives you both very frequent backups that are local and remote backups without any remote access workstations.

        If your backup routine puts encrypted backups on the NAS, that handles the confidentiality risk of remote access - the remote can only access encrypted data.

        If the remote only gets an encrypted copy and doesn't have the key, you can help differential backups go quicker with an appropriately chosen cipher mode and the rsync algorithm, or just encrypt each file separately.

        • Tip from someone who very nearly lost his (Time Machine) backup because it was encrypted and the key was only kept on the backup source machine:
          you need somewhere safe (outside the source machine, and accessbile when the source machine is disabled) to keep the encryption key. I.e. not a USB thumb drive that can get corrupted.

          • Good point. We do backups because "one is none, two is one" and that certainly applies to the key.

            And two doesn't mean one thing twice. Two copies of identical USB thumb drives is ONE way of storing the the key. Thumb drives plus a printed copy in the fire safe is two.

            If you're going to print it, it's helpful to use a passphrase rather than a randomly generated key. The actual bits of the real key are derived from the passphrase.

    • And have more than one person testing. One of my companies had one guy doing backups. He signed off on the check off form like clockwork that everything was running and tested. We even had alert emails setup for any fails.

      The alerts went only to him. He deleted them every day.

      You can imagine what happened next.

    • Tested for sure. Most companies that get hit by ransomware have all of their rotated backups encrypted by the ransomware already by the time it gets triggered.

    • by GuB-42 ( 2483988 )

      Good backups are both off-site and on-site.
      On site, you have better control and availability. Off site will protect you against physical losses (ex: a fire).

      If you only have off-site backup you are at the mercy of your backup provider. For example it may decide to wipe your data because you forgot to pay the bill. And data recovery may take days and be expensive. Also, having both on-site and off-site satisfy the rule of three: three copies, one of them at a different location.

    • by Mr MW ( 4278811 )

      "Automated" and "pull, not push" sounds self-contradictory. Can you provide an example? Thanks!

      • backup-server # crontab -l

        01 01 * * * /use/local/bin/pull-backups

        I think there is something implicit in your question or thinking that I'm missing. You can schedule a job on the backup server the same way you would schedule a job on your desktop. What am I missing?

    • The majority of small businesses who think they have backups running actually don't. They haven't tested in years, so don't know it stopped working 9 months ago.

      Isn't that the truth!

      I always tell people: it's not the backup that's important; it's the restore!

      One thing that most people don't know about Time Machine: If you have identified more than one drive for backups, TM will automatically rotate backups to those drives. And if you make one of those drives be in an external USB enclosure, and only connect it weekly or monthly, TM will do a backup to it automatically when it is connected, and that can form a persistent backup probably good enough for most home use

      • For remote pull on a home machine, a VPS or an AWS Lambda may be options. I'm sure some service providers like Backblaze provide a pull-based client / configuration, but I don't know which ones. We used to when I owned a company similar to Backblaze, but more advanced and smaller. (We made it so you could boot a snapshot of your backup as a VM in our cloud).

    • If you have one computer (i.e. a home user), how do you test your backup? You can, of course, do the rest on the list, but the last is a bit of a challenge. Of course, everybody on slashdot has 20 computers, so that's not much of a problem for them, but a normal user tends to have only one.

      • That's a good question. I'd be curious to hear other people's answers.

        Off the top of my head, one can test restoring a random file or directory (after making a new backup of the good copy). Check that permissions are right. That's not the same as restoring the entire system, but it's a lot better than nothing.

        I bought a computer at a garage sale for $15 one time. Having a spare around is handy from time to time. I can let my little kid use the slow one. I could test restores on it.

        One could save an old ha

  • Ignoring the face that It’s probably cheaper to pay the $50 ransom than to buy a legitimate copy of the software, don’t run software on your machines that you don’t know the origin of. The primary transmission vector for this trojan is simple ignorance. On the positive side, this shines a light on the risks of using pirated software.

    • Ignoring the face that It’s probably cheaper to pay the $50 ransom than to buy a legitimate copy of the software

      Actually, a legitimate copy is cheaper in this case. It's being packaged as a pirated copy of Little Snitch, but Little Snitch only costs $45 for a single license [obdev.at] (and if you're using it on multiple machines, odds are you're a professional and should really know better than to be pirating software for your business).

  • Back in the day in the Mac v Windows wars, one of the big pluses for Mac was, "Macs don't get viruses! They're not insecure like Windoze! Lulz!"

    • by Geoffrey.landis ( 926948 ) on Thursday July 02, 2020 @08:42AM (#60253850) Homepage

      Back in the day in the Mac v Windows wars, one of the big pluses for Mac was, "Macs don't get viruses! They're not insecure like Windoze! Lulz!"

      Since this one seems to require that you download and install it, it's more a Trojan than a virus.

      But, yeah, the lesson seems to be, don't install software from sketchy sites.

    • It still applies.
      A virus is not the same as a trojan horse.

      You mean they aren't imuun for malware (collection name for viruses, worms, trojans and spyware)
    • The number of viruses and other malware that affect the Mac was and still is much lower than Windows. It was always a question of market share - fewer users means less motivation to write the malware. There are, of course, architectural differences in the OS and maybe the Mac is a bit harder to attack, but fundamentally ANY OS will have vulnerabilities. It is just the nature of complex software. But you're way smarter than me, so you knew that.

    • Back in the day in the Mac v Windows wars, one of the big pluses for Mac was, "Macs don't get viruses! They're not insecure like Windoze! Lulz!"

      I wondered how long it would be before some slopehead would drag out that tired meme. Guess we know.

      Macs still donâ(TM)t get self-replicating malware, i.e. "viruses". This is a Trojan; or at least the distribution method is Trojan-like.

      And, as has been pointed-out many times: There is simply no practical way to create a usable OS that can provide 100% protection against a User determined to bypass, defeat and ignore every single security measure built into said OS.

    • Macs had viruses scince the days of the first Macs.

      The only reason why they get fewer viruses than M$ is because they are a smaller market. If Apple, not M$ dominated the desktop, people would be saying "Well Windows does not get viruses!"

      Mac users need to turn off their personal reality distortion field. They are as vulnerable as anyone else.

    • Try this:
      Install Windows in a VM, maybe an AWS instance.
      Run a file integrity monitor that records the SHA2 of each file.

      Connect it to the internet for 15 minutes without a Linux or BSD firewall in front of it to protect it.

      After 15 minutes check out all of the system files and registry keys that have been replaced by malware.

      Vs
      On a Mac, if you intentionally download and install "hacked" software, it's now possible that the hacked software may indeed be hacked. Which is NEWS.

  • by sinij ( 911942 ) on Thursday July 02, 2020 @08:44AM (#60253854)
    I disagree with one of the key points in the featured article:

    it's unlikely to infect your Mac anytime soon unless you download pirated, unvetted software

    As was shown many times in the past, malicious actors are successful at targeting official app stores. Typically, this is done by buying legitimate apps, uploading obfuscated malicious code via patch, the malicious payload successfully fools automated detection that is mostly signature-based and compromising even users that only use platform's app store and screen all their applications.

    • by njvack ( 646524 )

      As was shown many times in the past, malicious actors are successful at targeting official app stores. Typically, this is done by buying legitimate apps, uploading obfuscated malicious code via patch, the malicious payload successfully fools automated detection that is mostly signature-based and compromising even users that only use platform's app store and screen all their applications.

      Mac apps downloaded from the MAS run in a sandbox, so their malware potential is limited. And Apple does run automated checks to see if you're acting like malware. And if an app does get bought and subverted to do bad things outside its sandbox... once its behavior is detected, Apple will revoke the developer's cert and inactivate the app. Dev certs cost actual money, so if your app's behavior is criminal and you used your real credit card to buy it, expect a visit from the FBI. Sure, you can use a stolen c

      • These policies and practices are exactly why I am a very happy user of the supposedly evil walled-garden of the Apple ecosystem.

        And yes I appreciate that on my Macs, there are ways around it and incremental versions between all or nothing.

        As for my phone, even if they offered an option for bypassing, I would never do it.

  • by xack ( 5304745 ) on Thursday July 02, 2020 @09:07AM (#60253896)
    While open source developers are developing codes of conducts and making yet another distro, people would rather try to pirate proprietary software even at the risk of getting viruses. Think about it, the gimp is 24 years old now, yet people still pay for or pirate photoshop. We will have Linux is still not ready for the neural implant discussions in a 100 years.
  • It would be interesting to send the ransom address soem small amount - say $10 - and then see if that account sent money anywhere else... could be you could track backwards from where the money was sent on, to find the owner of the ransomware wallet.

    • It would be interesting to send the ransom address soem small amount - say $10 - and then see if that account sent money anywhere else... could be you could track backwards from where the money was sent on, to find the owner of the ransomware wallet.

      That's why it is vitally important to outlaw the use of all cryptocurrency!

      No cryptocurrency; no ransomware payment-conduit. Simple as that!

  • Seems like a good place to note that this week, Google's Backup and Sync app for OS X (that syncs your Google Drive data to your local Mac disk), suddenly started crashing when run on OS X El Capitan. Rather than fix the problem, Google did an ex post facto announcement that El Capitan is now unsupported, leaving hundreds of thousands (millions?) of Mac users in the lurch.

    .

    (noting that El Cap debuted in late 2015, so not even five years old)

    And so - relevant to this story - no doubt some of those searc

    • by Wolfrider ( 856 )

      --Speaking as someone who was recently using an ElCap iMac as their primary PC, no software company is obliged to support any particular OS version indefinitely. From wiki:

      Support status
      Unsupported. Extended support ended in September 2018

      --So yeah, they're google - but they don't want to continue supporting software for an unsupported OS.

  • If you think you're being leet for stealing software, this is your reward.

    Oh, you wouldn't have bought it anyway? Then why are you stealing now? Just because it's free?

    Let the excuses fly.

  • which researchers are now calling ThiefQuest, gets more interesting from there. In addition to ransomware, ThiefQuest

    "Thief" has bad connotations. Parents won't want their scriptkids playing with it. Let's call it RougeQuest instead.

"The following is not for the weak of heart or Fundamentalists." -- Dave Barry

Working...