Security researchers have discovered functional macOS malware
Malware developers are apparently developing functional ransomware that targets macOS.
Malware developers are targeting macOS.
(Image: Balefire / Shutterstock.com)
Apparently, cybercriminals have realized that they can also use the tactics they use on other platforms on Apple systems. Security researchers from Trend Micro have discovered macOS malware that is capable of locking files and exfiltrating data. Until now, ransomware targeting macOS was at best a proof of concept, at worst it didn't do what it was supposed to.
Imposter: Malware changes the desktop wallpaper to LockBit 2.0
Once the files on the system had been encrypted, the malware posed as LockBit ransomware via a modified desktop banner. Apparently, however, the malware did not originate from the well-known ransomware group, even though one of the more successful previous attempts to develop ransomware for macOS actually came from LockBit. The wallpaper was labeled LockBit 2.0, but the group's malware has been available in version 3.0 for some time and the developers have been caught. The sample that has now been discovered appears to be the work of a different actor who is simply using the name of the better-known group.
According to the researchers, the ransomware is written in the Go programming language developed by Google. It is distributed as an x86_64 binary, which means that it only runs on Macs with an Intel processor – or on Apple Silicon Macs with the Rosetta emulation software installed.
Videos by heise
"macOS.NotLockBit"
Researchers from the company Sentinel, who address the issue on their blog, suggest the name macOS.NotLockBit for the malware. In addition to those already identified by other researchers, they have found a number of other so-called Mach-O files. Mach-O is a special file format for programs, object code and dynamic libraries used in macOS. In a blog post, they examined so-called Indicators of Compromise (IoC). Such indicators can generally be used to check whether one's own systems could be infected.
The NotLockBit malware currently appears to be under development and has not yet been spotted in the wild. The developer's AWS account has been blocked, but the authors of the Sentinel blog post believe that, in view of the development work that has gone into the malware so far, it is more likely that something else could come from this direction in the medium term.
(kst)
