2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "2" ,
"date" : "2017-06-12" ,
"extends_uuid" : "" ,
"info" : "OSINT - MacRansom: Offered as Ransomware as a Service" ,
"publish_timestamp" : "1497258829" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1497258805" ,
"uuid" : "593e5a1d-0a18-40ac-9051-4188950d210f" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#6a0084" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "ms-caro-malware:malware-platform=\"MacOS_X\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#006c6c" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "ecsirt:malicious-code=\"ransomware\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#420053" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "ms-caro-malware:malware-type=\"Ransom\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497258805" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "593e5a28-466c-4c46-a613-42a4950d210f" ,
"value" : "https://blog.fortinet.com/2017/06/09/macransom-offered-as-ransomware-as-a-service" ,
"Tag" : [
{
"colour" : "#00223b" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497258805" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "593e5a42-c0cc-4fdc-92b6-4f36950d210f" ,
"value" : "Many Mac OS users might assume that their computer is exempt from things like ransomware attacks and think that their system is somehow essentially \u00e2\u20ac\u0153secure.\u00e2\u20ac\u009d It is true that it\u00e2\u20ac\u2122s less likely for a Mac OS user to be attacked or infected by malware than a Windows user, but this has nothing to do with the level of vulnerability in the operating system. It is largely caused by the fact that over 90% of personal computers run on Microsoft Windows and only around 6% on Apple Mac OS.\r\n\r\n\r\n\r\nFigure 1: Market share for desktop OS (reference: NetMarketShare)\r\n\r\nMacRansom Portal\r\nJust recently, we here at FortiGuard Labs discovered a Ransomware-as-a-service (RaaS) that uses a web portal hosted in a TOR network which has become a trend nowadays. However, in this case it was rather interesting to see cybercriminals attack an operating system other than Windows. And this could be the first time to see RaaS that targets Mac OS" ,
"Tag" : [
{
"colour" : "#00223b" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "Antivirus detection" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497258805" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "593e5a75-a6a4-465d-a853-4bdc950d210f" ,
"value" : "OSX/MacRansom.A!tr"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Zip" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497258805" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "593e5a90-18f4-4b53-a270-4d29950d210f" ,
"value" : "a729d54da58ca605411d39bf5598a60d2de0657c81df971daab5def90444bcc3"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Mach-O file" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497258805" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "593e5a90-39f8-4eda-a803-4a07950d210f" ,
"value" : "617f7301fd67e8b5d8ad42d4e94e02cb313fe5ad51770ef93323c6115e52fe98"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "Dropped files" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497258805" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "593e5aab-0620-49a5-b936-4296950d210f" ,
"value" : "~/LaunchAgent/com.apple.finder.plist"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "Dropped files" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497258805" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "593e5aab-7d24-4657-ba18-40d0950d210f" ,
"value" : "~/Library/.FS_Store"
} ,
{
"category" : "External analysis" ,
"comment" : "FAQ from the MacRansom portal" ,
"data" : " i V B O R w 0 K G g o A A A A N S U h E U g A A A w g A A A M E C A Y A A A A b x w J s A A A E D W l D Q 1 B J Q 0 M g U H J v Z m l s Z Q A A O I 2 N V V 1 o H F U U P r t z Z y M k z l N s N I V 0 q D 8 N J Q 2 T V j S h t L p / 3 d 0 2 b p Z J N t o i 6 G T 27 s 6 Y y c 44 M 7 v 9 o U 9 F U H w x 6 p s U x L + 3 g C A o 9 Q / b P r Q v l Q o l 2 t Q g K D 60 + I N Q 6 I u m 65 k 7 M 5 l p u r H e Z e 58853 v n n v u u W f v B e i 5 q l i W k R Q B F p q u L R c y 4 n O H j 4 g 9 K 5 C E h 6 A X B q F X U R 0 r X a l M A j Z P C 3e1 W 99 D w n t f 2 d X d / p + t t 0 Y d F S B x H 2 K z 5 q g L i I 8 B 8 K d V y 3 Y B e v q R H z / q W h 72 Y u i 3 M U D E L 3 q 44 W P X w 3 M + f o 1 p Z u Q s 4 t O I B V V T a o i X E I / M x f h G D P s x s N Z f o E 1 q 66 r o 5 a J i m 3 X d o L F w 72 H + n 23 B a I X z b c O n z 5 m f P o T v Y V z 7 K z U l 5 + F R x E u q k p 9 G / A j i a 219 t h z g 25 a b k R E / B p D c 3 p q v p h H v R F y s 2 w e q v p + k r b W K I X 7 n h D b z L O I t i M 8358 p T w d i r q p P F n M F 2 x L c 1 W v L y O w T A i b p b m v H H c v t t U 57 y 5 + X q N Z r L e 3 l E / P q 8 e U j 2 f X K f O e 3 p f O j z h J Y t B / y l l 5 S D F c S D i H + h R k H 25 + L + s d x K E A M Z a h r l S X 8 u k q M O W y / j X W 2 m 6 M 9 L D B c 31 B 9 L F u v 6 g V K g / 0 S z i 3 K A r 1 k G q 1 G M j U / a L b n q 6 / l R x c 4 X f J 98 h T a r g X + + D b M J B S i Y M I e 9 C k 1 Y A x F k K E A G 3 x b Y a K m D D g Y y F K 0 U G Y p f o W Y X G + f A P P I 6 t J n N w b 7 C l P 7 I y F + D + b j O t C p k h z 6 C F r I a / I 6 s F t N l 8 a u F X G M T P 34 s N w I / J h k g E t m D z 14 y S f a R c T I B I n m K P E 32 k x y y E 2 T v + t h K b E V e P D f W / b y M M 1 K m m 0 X d O b S 7 o G D / M y p M X F P X r C w O t o Y j y y n 7 B V 29 / M Z f s V z p L D d R t u I Z n b p X z v l f + e v 8 M v Y r / G q k 4 H / k V / G 3 c s d a z L u y T M P s b F h z d 1 U a b Q b j F v D R m c W J x R 3 z c f H k V w 9 G f p b J m e e v 9 F 0 8 W W 8 u D k a s l w X 6 a v l W G U 6 N R K z 0 g / S H t C y 9 J 30 o / c a 9 z X 3 K f c 19 z n 3 B X Q K R O 8 u d 477 h L n A f c 1 / G 9 m r z G l r f e x Z 5 G L d n 6 Z Z r r E o h I 2 w V H h Z y w j b h U W E y 8 i c M C G N C U d i B l q 3 r + x a f L 549 H Q 5 j H + a n + 1 y + L l Y B i f u x A v R N / l V V V O l w l C k d V m 9 N O L 5 B E 4 w k Q 2 S M l D Z U 97 h X 86 E i l U / l U m k Q U z t T E 6 m x 1 E E P h 7 O m d q B t A v v 8 H d W p b r J S 6 t J j 3 n 0 C W d M 6 b u s N z R V 3 S 9 K T Y h q v N i q W m u r o i K g Y h s h M j m h T h 9 p t W h s F 7970 j / S b M r s P E 1 s u R 5 z 7 D M C + P / H s + y 7 i j r Q A l h y A g c c j b h j P y g f e B T j z h N q y 28 E d k U h 8 C + D U 9 + z 2 v / o y e H 791 O n c x H O s 5 y 2 A t T c 7 n b / f 73 T W P k D / q w B n j X 8 B o J 98 V V B g / m 8 A A A A J c E h Z c w A A F x I A A B c S A W e f 0 l I A A E A A S U R B V H g B 7 F 0 H Y B R F 236 u p j d C S Q I h 9 F 4 T W u h F B B W s i I U P U V E U K Y p d E F G K v a C I i g i C i B 0 p K q C A I F V 6 S U J I I 6 E m I a R c 2 i V X / 2 f 27 p J L C B g h + i v O a L i 73 Z 2 Z d 56 Z 3 X 37 q H J z c + 2 Q R S I g E Z A I S A Q k A h I B i Y B E Q C I g E f j P I 2 A y m Z q p //MoSAAkAhIBiYBEQCIgEZAISAQkAhKBMgSkgFAGhfwiEZAISAQkAhIBiYBEQCIgEZAISAFBrgGJgERAIiARkAhIBCQCEgGJgESgDAEpIJRBIb9IBCQCEgGJgERAIiARkAhIBCQCUkCQa0AiIBGQCEgEJAISAYmAREAiIBEoQ0AKCGVQyC8SAYmAREAiIBGQCEgEJAISAYmAFBDkGpAISAQkAhIBiYBEQCIgEZAISATKEJACQhkU8otEQCIgEZAISAQkAhIBiYBEQCKgvSwIbIDGyxteeg1UzgZs1lIUF5pgryRy2FVqeHt7Q6t2XckKdiuKi4phrbxFm00Fna83PDXORlR2WEuNKDZa2Z8PvPXO43YbzDxuNNvK+r+scdRgJZXGAz7e+jJ6zKVFKDERqL+zqFRQqbTQaewwmy1wwauyq6D28IKXh3O+iKvFWIRis72M3r+TzIv2JeiHGlqdBlZTKVyzq+JxqHXw9vGA2jkoG/Etqja+rM//9VyzHq61xTVUUlQEQiCLRODyEFDuNzU8uK507s89O59bpmIUV3t9Xl73F6ul4jNXrffk81JT8RLSZSFdxv8nuioSI39JBCQCEgGJwD8ZAffXWjXpVEPvp8KW10ahR6sWaNGCf83bY+hdnyA70BMVXkkaT/jnHcbYYd0d14lr+dem7whsPG4rZ/iVnjXwCsrFkjHXo0NzZ7stu+PO2VugD7Tgx2euR0dn/RZR12LKtynw96rQWzXpr/nL1GorTvwyC71cdJPOhxfGwWT7m+hTGBWy1mot8mNW4Z3la5GUT2baeVylM2Lj6/egV2sHrq069ca9C2Pg53kZ01/z8JF5F4IN/9RqFCVtxteLXsX+8z7Qu8alNSFx07u4pq2D/pbtonDjG9vgoXUTOi9Gl9IGoC05jtdHX4vWyhpqic69h2DxYR08/iEQXIx8efyfiYBYr3ZbKTKT1uOx/s7nlfP51DqqD+5+b1f11meNDU/cQ47GSvPPYe3sWyo8c8VzV9D1v3m7oKc0U407p8Yokw1JBCQCEgGJwL8PgcuwINhgsfiibZMAZGUfx8lcx6Cz7V8hPnkSGtQvoWbacUzn4YGTCXuwd+8BHHdep5xJM2LL4RQM6tgOKmqKFSUumVtdXiZ2x8XhaGq6cpkqIAx9G7eDt7oU2adSkXr8OIrFGT8rTmUZoaGmDLAq1/5//kNWASU5J5CYehx5TkLqny2iBvxvoE8wwATQUpKG377/AC9M/Q5et72I62+ggACTAx2VDYaME0hNOo4s0qf2KUbdzCInfn+zlaPyRDnpt5ZkYP/WT/Hsgx8ht91AfHqjjgyPkdYmVuAASwwZSE0+jlMW/tT5wCM9n/QLNkdZPZVbrfSbGlWbEWeOJyPp+GnRIDwKzEgvEEIVf/4/Q1CJWPnzn44A153NXIjUb6fj+ue/Q25OAe+08uITDAxt1Bo2W3XWZnm9y/4m7iE+C61F2fh96dOY9O7PyMgrQHFJ5f5TkZx8B7YtaothE+fgvQe6wmTmw7ryZZdNiKwoEZAISAQkAlcLApchIJCfstjQuHMnhPkF4VRurvJ+MRrzcSrjHHThXsRGcFwqaFU5OJWaiPzCSnDZinA8MRXZ1s6ojVIHE6vRwp6RhWSjIgIo9f29Q9E5qjHbPwmVRkOGkIf5MlOp+d3dZalS83/3T+Go41WnKdq1ao1sp2quZUM/Muh/NecphAMbSnNS8PFjIzH9h1R64ngiiq5aCu/sBoTQzmt0PGDmOWoQ1f8I/AT9wt0pA99NvQMTlxyBlYJihJWMeyUVp1q4TQj6KSDQf+JPzr8NNrUPIlq1QbsiP1gJjndwOMID6AryV0+R2xzIr1cDAuLeonuaNQXffPYzDIpwoILG0xf1QkMR5EWrad0oRLfz+nvWlhAO+J+9xIBty5/H+DnfIl08b3m/aAND0bR+IIVjO2xWC/IykpCZb6DVYze+mjMZPr7zMf2OjtDRVVPKCFfD2pRjkAhIBCQCNYfAZQkIDAyAqX1vXFPXF4dpQqCeF6bCYpzJOg+brhFQSq6LLyhdUQYSD8fgvNOiUE52PmJjYnHm9G0IqU0bAI0AWvrNnz6ZjNy8IudlevjUvhZ9Opth+f83EpSTXsU3G12JIgZPxW83z1RsBuISU3E+fZD/YsLJRFM+QEnaKiz7WWjG/2VFEfjI3KSvxeJVqQrvX0kuuPIBUQARApzFsxGeWPwTntc5lrzdboGxoJBuYFfehWzhP4QAF6gQam2FqUg5bXKsWUreYS174e3PV2JEO0/ekyYUFxT/LfEtyi1Eu+qJ3V/gg3nfK8KBSqNHSMsBuOuh5zBrcj94c3pK87Owbu69ePaDLUjILEZRdhK+mPs+erZ5E0Pb+FOnI0WE/9AqlkOVCEgEJAJ/iMDlCQjUjJtLm6P/kCZ4P+4UjEJCKD
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497258805" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "593e5adb-ecdc-4c42-be07-4440950d210f" ,
"value" : "mac17.png"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Mach-O file - Xchecked via VT: 617f7301fd67e8b5d8ad42d4e94e02cb313fe5ad51770ef93323c6115e52fe98" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497258809" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "593e5b39-977c-442c-ba46-bbf302de0b81" ,
"value" : "cf0743ed381ade69bba3d1dd3d357a8300bcd4ae"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Mach-O file - Xchecked via VT: 617f7301fd67e8b5d8ad42d4e94e02cb313fe5ad51770ef93323c6115e52fe98" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497258809" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "593e5b39-6a4c-471c-85da-bbf302de0b81" ,
"value" : "8fe94843a3e655209c57af587849ac3a"
} ,
{
"category" : "External analysis" ,
"comment" : "Mach-O file - Xchecked via VT: 617f7301fd67e8b5d8ad42d4e94e02cb313fe5ad51770ef93323c6115e52fe98" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1497258810" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "593e5b3a-2020-4e7b-add4-bbf302de0b81" ,
"value" : "https://www.virustotal.com/file/617f7301fd67e8b5d8ad42d4e94e02cb313fe5ad51770ef93323c6115e52fe98/analysis/1497256956/"
}
]
}
}