According to MalwareHunterTeam, the LockBit ransomware group is purportedly working on a new variant of malware that may encrypt data on Apple macOS. Although LockBit has traditionally concentrated on Linux and Windows systems, this would be the first instance of malware aiming at Mac devices.
The ransomware organization is renowned for its RaaS (ransomware-as-a-service) business, which rents out the ransomware to online criminals in exchange for money. Locker Apple M1 64 is the name of the new malware, and there are separate variants for PPC Macs.
Vx-Underground, a site that analyzes malware samples, claims that the latest ransomware, locker Apple M1 64, started to target Apple MacOS devices in November 2022. Although no anti-malware engines on VirusTotal have found it, information on this malware has been scarce since last fall. Researchers have found that by concentrating on Macs, the LockBit ransomware gang is expanding the reach of its operations, which is a significant change in its strategies.
Security researcher and creator of Objective-See Patrick Wardle claims that despite the malware’s ability to execute on Macs, it does not provide a significant concern because of several characteristics. Because the malware sample Wardle examined was not signed by a trusted certificate, Apple MacOS won’t allow it to be executed.
However, even if the malware succeeds in infiltrating a macOS device, Apple’s file system protection technologies like Transparency, Consent, and Control/TCC would restrict the impact of the infection. The malware also contained faults, leading Wardle to conclude it was unfit. Wardle claimed in a blog post that the ransomware has bugs and weaknesses, such as buffer overflows that lead to an early escape.
Although this may be the first instance of a sizable ransomware gang producing macOS-compatible ransomware, it is important to note that this sample is far from suitable for use […] It does not yet threaten macOS users due to its invalid code-signing signature, ignorance of TCC, and other file-system protections.
The malware creation for Mac systems running on the macOS operating system by the LockBit ransomware gang represents a significant advancement in their attack strategies. But, according to Apple’s analysis, the security precautions in place mean that the present malware does not pose a significant risk to macOS devices.
Nonetheless, it highlights the necessity of ongoing awareness of changing malware threats and the significance of strong cybersecurity measures to fend off ransomware attacks on all platforms.
Conclusion
Files on devices running Apple’s macOS operating system can now be encrypted by new artifacts created by threat actors behind the LockBit ransomware operation. The MalwareHunterTeam broke the news of the development over the weekend. It looks to be the first time a large-scale ransomware group has developed a macOS-based payload. The macOS form has been accessible since November 11, 2022, according to further samples found by vx-underground, and up until now, it has managed to avoid being discovered by anti-malware engines.
With connections to Russia, LockBit is a well-known cybercrime group operating since the end of 2019. In 2021 and 2022, the threat actors released two significant modifications to the locker. Malwarebytes statistics from last week show that with 93 successful assaults, LockBit overtook Cl0p as the second most popular ransomware in March 2023. The new apple macOS version (“locker Apple M1 64″_) is still under development and uses an incorrect signature to sign the executable, according to an analysis of the software. This also implies that even if it is downloaded and launched on a device, Apple’s Gatekeeper security measures will prevent it from being used.
According to security researcher Patrick Wardle, the ransomware sample’s payload contains files like autorun.inf and ntuser.dat.log, indicating that it was initially intended to attack Windows. While it can run on Apple Chips, Wardle noted, “that is the extent of its impact.” Thus, macOS users don’t need to worry right now. Wardle also referred to additional security measures put in place by Apple, including System Integrity Protection (SIP) and Transparency, Consent, and Control (TCC), which stop the execution of unauthorized code and mandate that apps request users’ permission before accessing protected files and data.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.