1. 18

  2. 3

    Great write-up.

    No transactions yet on the address linked in the article. Perhaps that will change in 3 days' time?

    in a different sample of KeRanger we discovered, the malware also sleeps for three days, but also makes requests to the C2 server every five minutes

    This makes a lot more sense than the other version. I wonder what those requests included… I would guess PII to sort potential high value targets from those going on to automated ransomware.

    1. 1

      I’m a Linux user so I install software that’s been signed from sources that are have a history of being (somewhat) secure. Why aren’t Mac users installing from the Mac App Store? When you download binaries from random web sites don’t you expect to get malware?

      1. 3

        The KeRanger application was signed with a valid Mac app development certificate; therefore, it was able to bypass Apple’s Gatekeeper protection.

        1. 1

          The two KeRanger infected Transmission installers were signed with a legitimate certificate issued by Apple. The developer listed this certificate is a Turkish company with the ID Z7276PX673, which was different from the developer ID used to sign previous versions of the Transmission installer.

        2. 2

          It is unlikely the developers of transmission could get it listed on the MAS.