A recently unearthed sample of macOS malware continues the trend of attacks against Apple’s ecosystem, but in its current state it’s not a major threat to Mac users.
Malware producers are seeing macOS as a bigger target than ever, and have stepped up their attempts to infiltrate Apple’s operating system. However, not all of the attempts could be considered a threat to the average user.
An analysis of a new “Turtle” ransomware by Patrick Wardle of Objective-See details one sample of macOS malware that had all of the component parts of ransomware. However, it was found in a state that would only harm those who were thoroughly determined to be infected.
The “Turtle” name stems from an examination of the code, which was written in Go. Internal references to “Turtlerans” and “TurmiRansom,” as well as files prefixed with “TurtleRansom” meant it was easy to give the malware its name.
An initial breakdown of the sample’s zip file reveals that the malware has been compiled for many popular platforms and architectures, including Windows, Linux, and macOS. The macOS .pkg files were not packages, but turned out to be Mach-O executables compiled for Intel and Apple Silicon Macs.
It was also determined that the malware was first developed for Windows before being ported over to macOS. The references to Windows meant it had a high flagging rate of 24 out of 62 security vendors on VirusTotal after just two days, which is an unusual feat for macOS malware to achieve.
Breaking it down
A check of the malware discovers that the code is signed so it could run on macOS. However, since it is signed adhoc and not notarized, macOS Gatekeeper should block its execution unless users allow it to run, though it may also be deployed by some form of exploit.
Attempts to extract embedded strings went very well, since there was seemingly no attempts to obfuscate them at all. What was found consisted of strings enabling a fairly simple ransomware setup.
Indeed, since the encryption was performed using a Go crypto/AES library, it was quite trivial to pick up the ransomware key with a carefully-placed breakpoint. The same hardcoded key was also found in memory.
“As AES is symmetrical and here the key is hard-coded, it’s trivial for us to write a decryptor,” Wardle writes, before creating a decryptor and testing it.
Mostly harmless, for now
“In this case, the average macOS user is unlikely to be impacted by this macOS sample,” the report states. With Gatekeeper stepping in, it requires users to disregard the security step entirely, an unusual security setup, or for the malware to be run via another exploit in order to start encrypting files.
Apple has also taken steps to be “fairly proactive about mitigating ransomware attacks on macOS,” with the implementation of SIP and read-only system volumes protecting core OS files. TCC protections to user files in protected directories also help to limit the effects of ransomware.
While most Mac users won’t need to worry too much about Turtle ransomware, its existence is another reason to “give us pause for concern,” writes Wardle, as well as to help start conversations on ways to detect and prevent such samples and attacks from occurring to macOS.
How to protect yourself from Turtle ransomware
In its current state, users don’t have to do that much to keep themselves safe from the effects of Turtle ransomware. All that really needs to be adhered to is good computing hygiene.
For example, paying attention to Gatekeeper and other macOS security prompts when running applications or opening files, or downloading software only from reputable or known safe online sources. Also, not blindly opening files sent from unknown sources over email is a good move.
Being sensible online should keep most people safe in general, ransomware or not.