in a different sample of KeRanger we discovered, the malware also sleeps for three days, but also makes requests to the C2 server every five minutes
This makes a lot more sense than the other version. I wonder what those requests included… I would guess PII to sort potential high value targets from those going on to automated ransomware.
I’m a Linux user so I install software that’s been signed from sources that are have a history of being (somewhat) secure. Why aren’t Mac users installing from the Mac App Store? When you download binaries from random web sites don’t you expect to get malware?
The two KeRanger infected Transmission installers were signed with a legitimate certificate issued by Apple. The developer listed this certificate is a Turkish company with the ID Z7276PX673, which was different from the developer ID used to sign previous versions of the Transmission installer.
Great write-up.
No transactions yet on the address linked in the article. Perhaps that will change in 3 days' time?
This makes a lot more sense than the other version. I wonder what those requests included… I would guess PII to sort potential high value targets from those going on to automated ransomware.
I’m a Linux user so I install software that’s been signed from sources that are have a history of being (somewhat) secure. Why aren’t Mac users installing from the Mac App Store? When you download binaries from random web sites don’t you expect to get malware?
It is unlikely the developers of transmission could get it listed on the MAS.