The latter of these files contains a timestamp, which is used to identify when 3 days have passed.Īfter 3 days, the malware “detonates” and begins encrypting files. This kernel_service process remains running in the background, and creates additional files named. When the app is launched, this file is copied to a file named kernel_service in the user Library folder (which is hidden by default on recent versions of OS X). The modified copy of Transmission includes a file named General.rtf, which is actually an executable file rather than the rich-text document it pretends to be.
MALWAREBYTES FREE FOR MAC REVIEWS CODE
The infected app was distributed from the official Transmission website, but with a different code signature than the normal one previously used to sign the Transmission app, implying that the app itself had been modified and re-signed by the attacker (although this has not yet been confirmed). It’s in the wild.Īccording to Xiao, the Transmission app – a BitTorrent client – was infected to include this ransomware. It was revealed on Sunday by Claud Xiao of Palo Alto Networks that KeRanger is the first real Mac ransomware, and it’s not just theoretical.
Apple quietly added detection of something called “KeRanger” to the XProtect anti-malware definitions in OS X on Saturday.
0 kommentar(er)
