A cyber threat actor has been leveraging an old LockBit builder to experiment with ransomware targeting Apple’s macOS devices, according to two threat intelligence providers.
In an October 22 report, SentinelLabs, the research branch of cybersecurity provider SentinelOne, shared observations of new macOS malware samples from an unidentified threat actor.
This report is related to previous findings by Trend Micro about Golang ransomware samples abusing the Amazon Simple Storage Service (S3) Transfer Acceleration feature to exfiltrate the victim’s files and upload them to the attacker-controlled S3 buckets.
In both cases, the malware attempts masqueraded as LockBit ransomware.
SentinelLabs researchers named this activity cluster ‘macOS NotLockBit.’
MacOS NotLockBit Malware Analysis
SentinelLabs reported that the ransomware it detected will only run on Intel Macs or Apple silicon Macs with the Rosetta emulation software installed.
On execution, the ransomware gathers system information from the host, such as the product name, version and build, the architecture and the time since the last boot. It then attempts to exfiltrate the user’s data to a remote server.
An embedded public key allows for asymmetric encryption, making decryption impossible without access to the private key held by the attacker.
The malware uses this embedded public key to encrypt a randomly generated master key. This is used in the subsequent file encryption process and written to a README.txt file deposited in each folder containing encrypted files, recognizable by their .abcd file extension.
Once the encryption process is complete, the malware attempts to use osascript to change the Desktop wallpaper and display a LockBit 2.0 banner.
LockBit in Name Only
The LockBit 3.0 builder (aka LockBit Black) was released in March 2022 and leaked six months later by the group's disgruntled developer, leading to disruptions within the ransomware-as-a-service (RaaS) landscape.
Speaking to Infosecurity, Allan Liska, cyber threat intelligence analyst at Recorded Future, said that this leaked builder is the primary reason that “we are still seeing an increase in LockBit-branded activity even though the LockBit group itself is far less active, having been severely affected by the law enforcement takedown earlier in 2024.”
Jim Walter, a senior threat researcher at SentinelOne, told Infosecurity that this builder has lowered the barrier of entry for lower-skilled malicious hackers.
“The tier one groups, made up of script kiddies-level hacktivists, just try to disrupt and cause chaos and mayhem, not necessarily profit in a ransomware operation. On top of the historical defacement and DDoS activity, they now have access to widely available ransomware tools like the LockBit builder to make a statement,” he explained.
However, in the case of macOS NotLockBit, the ransomware does not actually use any LockBit builders. It only leads to a LockBit 2.0 banner, suggesting the group behind the malware is purely leveraging the LockBit high-level reputation.
“As pointed out by other researchers, LockBit 2.0 has been superseded by version 3.0 for some time now and key actors behind its development have been arrested, meaning that whoever is responsible for developing this malware is, with high probability, not LockBit,” SentinelLabs reported.
MacOS Targeting is (Probably) Coming
Another interesting element about this campaign is the specific targeting of macOS devices – still unchartered territory for ransomware actors. The real LockBit group is one of the few groups to have attempted compromising macOS systems to deploy ransomware.
“Until now, ransomware threats for Mac computers had been at best ‘proof of concept’ and at worst entirely incapable of succeeding at their apparent aim,” SentinelLabs researchers wrote.
In all versions of this malware, the attackers are reportedly hindered by Apple’s Transparency, Consent and Control (TCC) protections. Multiple alerts require consent as the malware attempts to traverse certain directories and control processes such as System Events. However, SentinelLabs researchers expect to see the threat actor develop a way of bypassing these safeguards in future versions.
“Ransomware on macOS remains a small and still unlikely threat, but it is apparent that threat actors have understood that the double extortion method that works so well on other platforms – essentially, infostealers combined with file lockers – is equally viable on Apple’s desktop platform,” SentinelLabs concluded.
Read more: MacOS Vulnerability Could Expose User Data, Microsoft Warns