Ransomware tampering bypassed Apple's Gatekeeper


It appears that some installations of the Transmission application may carry ransomware. The malware was reported by Palo Alto Networks after the popular bittorrent application received a widely publicized update after two years of no development. This apparently was accomplished by infiltrating the developer's servers where someone replaced some DMG installation packages with a modified version.

Palo Alto Networks:

The KeRanger application was signed with a valid Mac app development certificate; therefore, it was able to bypass Apple's Gatekeeper protection. If a user installs the infected apps, an embedded executable file is run on the system. KeRanger then waits for for three days before connecting with command and control (C2) servers over the Tor anonymizer network. The malware then begins encrypting certain types of document and data files on the system. After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files. Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.

The certificate situation is interesting. It sounds like the hackers generated an authentic certificate with Apple and applied that to the modified distribution. It calls into question it seems Apple's process for issuing certificates to developers. If malware can be issued a valid certificate, that would seem to basically break the secure system.

Apple reportedly has canceled the relevant security certificate, so OS X users will no longer be able to install potentially compromised packages. That doesn't mean, however, this is the only such attack and other installations may be vulnerable.

Often I find Gatekeeper a nuisance since Apple keeps reverting my preferences with each update. An attack like this is concerning because people are relying on Gatekeeper to ensure the integrity of applications.

One security measure to utilize is a software firewall filter. I've used Little Snitch for many years, and since this malware phones home, it seems possible Little Snitch could have blocked and alerted the user on activity.