The “Patcher” malware downloads itself with fake Adobe Premiere Pro and Microsoft Office for Mac installer.
Cybercriminals prefer crypto-ransomware as it not only successfully targets Windows desktop but also those devices that run on MacOS or Linux. Now, according to ESET researchers, there is a new ransomware malware called “Patcher” targeting Mac users.
The new ransomware is written in Swift and is called Patcher; it is being distributed through BitTorrent distribution sites. The Torrent has just one ZIP file, which is actually an application pack with bundle identifier NULL.prova. ESET researchers identified two fake application Patchers one of which is for Adobe Premiere Pro and the other is for Mac system’s Microsoft Office. The app has been coded poorly and research suggests that the window contains transparent background that is certainly quite confusing as once it is closed it becomes too difficult to reopen it.
When the victim clicks on the Start button, the encryption process begins and a file called README!.txt is copied everywhere around the directories of the system including Documents and Photos directories. The ransomware then creates a random 25-character string, which serves as a key for completing the file encryption process. This key is then applied to all the existing files. The files are then numbered with the fine command line tool. The purpose of the ZIP tool is to store the file in an encrypted library.
Afterward, the real file is deleted with rm and the time of the encrypted file is modified to midnight, Feb 13th, 2010 using the touch command. Now the same process that was carried out for the directory is used for all the external and network storage folders present in /Volumes. After completion of file encryption, a code helps the attacker to null all the available free space on the root partition using diskutil. It is worth noting that the malware has a wrong path for diskutil i.e, for macOS it is /usr/sbin/diskutil while the malware tries to execute /usr/bin/diskutil.
The victim receives the instruction from the README!.txt file, which is hard coded within the Filecoder. It actually represents the Bitcoin address and email address remains the same for every victim and both the samples utilize the same message and contact details. Please note that there hasn’t been any transaction related to the Bitcoin wallet, which hints at the fact that as of now the campaign designers haven’t been able to earn anything from this ransomware.
The problem with this campaign, as per the researchers, is that the ransomware does not have any specific code with which it could communicate with the C&C server. Therefore, there is literally no way to decrypt the files since the encryption key was never sent to the attackers in the first place. Furthermore, the ZIP password is generated by arc4random_uniform, which is believed to be a secure random number generator. So, victims have no other choice but to pay the ransom to get the files back.
So far, the attackers have targeted Chinese-speaking victims. What led to this conclusion is the fact that the ransom note is written in Mandarin and the instructions say that the attackers can be contacted through QQ instant messaging service for payment of ransom and unlocking of code. However, since the target computer is locked up, the victims have to contact the attackers from another machine/device.
This is not the first time when researchers have discovered a ransomware malware targeting Mac users. Last year, cyber criminals hacked Transmission BitTorrent Client Installer and dropped ransomware malware on users who were downloading Transmission at that time.