On April 16th, Twitter user @malwrhunterteam tweeted details of a sample of the LockBit ransomware compiled for Apple’s macOS arm64 architecture. LockBit claims to be “the oldest ransomware affiliate program on the planet”, and news that one of the major cybercrime outfits in the ransomware landscape was now targeting macOS devices has predictably raised concerns about the ransomware threat on Mac devices.

In this post, we explore both the details of the LockBit sample uncovered and the larger question of how real is the risk of ransomware on macOS endpoints.

LockBit for Mac | Testing, Testing, 1 2 3

The sample of LockBit ransomware for Mac was discovered on VirusTotal on April 16th, and according to @vxunderground may have been compiled as early as 17th November 2022.

A further sample was uploaded to VirusTotal on the 8th December, 2022.

The macOS samples are compiled solely for the Apple ARM M1/M2 (aka Apple silicon) architecture. No macOS Intel sample is known at this time.

Importantly for concerned users, no occurrences of LockBit for Mac have yet been reported in the wild, no victims claimed, and no distribution method is known to be associated with the malware. However, early claims that the sample was non-functional were incorrect.

LockBit 3.0 typically requires a unique password to execute; in the case of the Mac sample, the hardcoded password is “test” – one of several clues as to the current state of development of the threat.

The Mac variant is a direct descendant of the LockBit for Linux variant first spotted in Jan 2022, and contains much the same code.

The ransomware functions as intended to encrypt targeted files, which are subsequently appended with the .lockbit extension. The locker also deposits a rather lengthy ransom note in the parent folder with the name !!!-Restore-My-Files-!!!.

The ransom note gives a clear indication of the intended victims.

LockBit is known for attacking and extorting organizations rather than random individuals on the internet, and the aim of the developers is to make large profits from locking and stealing business data.

The Mac sample does not appear to implement any functionality for exfiltrating the data it locks, nor does it have any method of persistence: more clear signs that this is a “work in progress” and not a genuine payload intended for use in the wild.

LockBit for Mac | Execution and Encryption

Despite the underdeveloped nature of the samples, it is clear that the authors are experimenting with similar functionality seen in lockers for other platforms. The malware is intended to be executed by a human operator or configuration file and offers a number of different encryption options. These mirror those seen in the Linux version noted above.

These can be seen reflected in the methods seen in the code.

Although there is a list of hardcoded extension names, many of which are not applicable to macOS, the locker is not restricted to encrypting only files with those extensions. As noted above, an operator may specify a particular destination and attempt to encrypt all files in that destination, partially or entirely.

Much of the code and methods apply to non-macOS platforms such as Windows, ESXi and Linux, indicating that the samples were likely compiled from the same cross-platform source code.

On execution on an Apple M1 or M2 device, the LockBit ransomware queries for the model name via sysctl hw.model, likely as part of anti-analysis measures.

Encryption takes advantage of the publicly available library Mbed TLS. Interestingly, there appear to be no cross-references to the functions intended to decrypt locked files.

According to one media report, the public-facing representative of LockBit, known as LockBitSupp, said that the Mac encryptor is “actively being developed”. Perhaps more complete samples may be over the horizon with the missing functionality.

Is Ransomware a Real Risk on macOS Today?

Due to the rampant nature of the ransomware threat on other platforms, it is only natural to wonder how safe Macs are from ransomware actors. While some security vendors have incorrectly made much of it in the past, the reality is that there is no publicly recorded case of any business ever paying a ransom demand as a result of macOS ransomware. This is not surprising when you look at the history of attempts to build ransomware on macOS to date.

The most recent known Mac ransomware prior to the LockBit sample found this week was EvilQuest (aka ThiefQuest). SentinelLabs analysis of the threat and subsequent publication of a decryptor revealed that the actual ransomware component was unfit for purpose. Despite garnering headlines like “New Mac Ransomware Is Even More Sinister Than It Appears”, not only was the encryption weak, the ransom note did not include a way for intended victims to contact the threat actors to exchange their money for a decryption key: It merely included a crypto wallet address and a demand for the princely sum of $50.

Unsurprisingly, that wallet remains empty today, having never received a single transaction. Though EvilQuest was certainly a real threat and continued to infect devices over the following 12 months or so, its infostealing and keylogging capabilities were likely the real reward for the threat actors: As ransomware, it failed entirely.

Prior to 2020, the next most recent macOS ransomware attempt was Patcher, discovered by ESET in 2017. Patcher (aka FindZip) was distributed in cracked apps on torrent sites and, much like EvilQuest, never recorded a single transaction to its bitcoin address.

Patcher was preceded in 2016 by KeRanger, a functional ransomware distributed through a trojanized version of the popular Transmission bittorrent client. KeRanger appears to have been precisely $3.02 more successful than either EvilQuest or Patcher ransomware: Its bitcoin wallet shows exactly one transaction – not necessarily from a victim – of that value.

We have to go back to 2014 to find the next occurrence of macOS ransomware. FileCoder was discovered on VirusTotal and was said to have been lying around on the site for two years. Unfinished and unworkable, FileCoder was a POC that did not actually encrypt the user’s files but demonstrated encryption and decryption of a sample file included with the malware. It is thought to be the precursor to the Patcher/FindZip malware discussed above.

In short, the history of ransomware on macOS to date shows that there has yet to be a viable threat or any ransomware that has financially impacted any individuals or organizations.

How to Stay Safe from LockBit macOS Ransomware

At the present time, SentinelOne does not consider LockBit a serious threat for macOS endpoints. As noted above, the known samples are very much a Proof-of-Concept and not suitable for deployment by threat actors in their current state. However, news outlets have reported that LockBit developers do consider a Mac file locker an active project, meaning that this situation may change in the near future.

As a precaution, the SentinelOne agent detects LockBit for Mac and protects macOS endpoints from executing the sample.

macOS security teams whose organizations are not protected by SentinelOne may refer to the Indicators of Compromise below for threat hunting and detection.

Conclusion

Are the big game hunters coming to a macOS endpoint near you? Not yet, but that doesn’t mean they won’t. The development of a Mac-specific ransomware variant suggests that the thought has obviously occurred to some threat actors sufficiently to invest time in producing a test sample, but that sample is far from ready for use against real targets. More importantly, from a threat actor’s point of view, locking files on Macs is not really a viable use case, though it may create some headlines, since service disruption in many cases is not likely to be severe – few organizations use Mac servers for essential services. In addition, worming from one Mac to another in the way Windows malware often does is exponentially more difficult on Macs. Consequently, the return on investment for a ransomware actor in deploying file locking malware on a Mac endpoint is likely to be substantially lower than similar attacks on Windows and Linux servers

Stealing data, however, is very much a viable use case for threat actors targeting Macs. As ransomware actors in general have transitioned to extorting enterprises to prevent stolen data being leaked, it should not come as a surprise if LockBit and other cybercrime outfits begin turning their attention to ways to achieve the same on macOS. Indeed, infostealers are very much a concern on the platform and security teams are advised to review our recent publications on these and on how threat actors can compromise Macs in the enterprise. If LockBit and other ransomware actors are coming for enterprises with macOS devices, it is the theft of data rather than the locking of files that will provide them with the most lucrative rewards.

Indicators of Compromise

YARA Hunting Rule

private rule Macho {
	meta:
		description = "private rule to match Mach-O binaries"

	condition:
		uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca

}

rule LockBit_for_Mac {

	meta:
		author = "Phil Stokes, @philofishal"
		description = "Rule to detect LockBit sample with Arm64 architecture for Apple M1"
		date = "18 April 2023"
		sha1_a = "2d15286d25f0e0938823dcd742bc928e78199b3d"
                sha1_b = "864f56b25a34e9532a1175d469715d2f61c56f7f"

		ref = "https:/s1.ai/LockBit-Mac"
	strings:
		$ransom = { 58 5b 55 5c 19 4b 58 57 4a 56 54 4e 58 4b 5c 19 } // encrypted ransom note string
		$sysctl = { 4a 40 4a 5a 4d 55 19 51 4e 39 5e 4b 5c 49 19 51 } // encrypted sysctl hw grep string
		$label = "bSelfRemove"

	condition:
		Macho and all of them

}

As cybersecurity threats increase in sophistication and frequency, the demand for skilled Security Operations Center (SOC) analysts continues to rise. In tandem with defensive strategies and advanced security software, SOC analysts fill a critical role in keeping enterprises safe from attacks.

SOC teams are responsible for identifying and mitigating oncoming threats, protecting sensitive information, and ensuring the overall security of an organization’s digital assets. As demand for skilled SOC analysts climbs, aspiring analysts need to ensure they have the technical knowledge, analytical skills, and critical thinking abilities required for the job.

This post is the first of three in a series covering the essential skills aspiring analysts should master as they embark on their journey toward success. In this post, we detail the first four key areas of study that lay the groundwork for mastery in the SOC analysis field.

1. Learn Network Architecture

Networking is the backbone of any IT infrastructure. For an aspiring SOC analyst, learning networking basics means understanding how data flows across the network; a skill critical in identifying and responding to security incidents.

By building a foundational understanding of networking concepts such as IP addressing, subnets, domain name system (DNS), routing, and protocols like TCP/IP, ICMP, and UDP, a SOC analyst can identify anomalies, track down malicious activity, and create effective security policies.

Since most attackers are initiated from the network, having a good grasp of network security fundamentals, including firewalls, intrusion detection and prevention systems (IDPS), and network segmentation provide SOC analysts with an edge in responding to security incidents. Understanding network fundamentals typically includes the below areas of interest:

• Learn networking fundamentals – Learn about network topologies, addressing, protocols, and networking devices. Resources such as the CompTIA Network+ or Cisco CCNA certifications can provide a solid foundation in fundamental networking concepts.
• Learn network security principles – Focus on firewalls, intrusion detection and prevention systems (IDPS), and virtual private networks (VPNs).
• Practice with hands-on labs – Use virtual labs or physical equipment to gain hands-on experience in configuring and troubleshooting networks. Examples include:
  • GNS3 – This free, open-source network simulation software allows users to design, configure, and test virtual networks.
  • Packet Tracer – This network simulation software developed by Cisco allows users to design, configure, and test network topologies.
  • EVE-NG – This network emulation software allows users to design, configure, and test virtual networks and complex network configurations.
  • TryHackMe – This platform provides guided, pre-configured labs accessible through a browser. The variety of high-quality courses and their low entry barrier allow learners to gain exposure to different tools and concepts.
• Join networking and security communities – Connect with professionals in the networking and security industry to learn from their experience, ask questions, and gain insights into the latest trends and technologies. Online communities such as Reddit’s /r/networking or /r/netsec, or professional associations such as ISACA, ISSA, or (ISC)², can be a great resource for connecting with others in the field.
• Stay up-to-date with industry news – Follow security and networking news sites such as Dark Reading, BleepingComputer, or SecurityWeek to stay informed on the latest security threats and trends.

2. Learn Network Analysis

Network traffic analysis involves examining the packets of data transmitted between devices on a network to identify patterns, anomalies, and signs of malicious activity. SOC analysts can detect suspicious behaviors such as unauthorized access attempts, data exfiltration, malware infections, and command-and-control communication by analyzing network traffic.

They can also use network traffic analysis to trace the origin of an attack, determine the scope of compromise, and identify affected assets. Network traffic analysis skills are key for any aspiring SOC analyst looking to build proficiency in threat detection and incident response. To get started on learning how to analyze network traffic, consider the below steps:

• Build up networking basics – Before analyzing network traffic, it is essential to have a solid understanding of networking concepts such as TCP/IP, DNS, HTTP, and SSL. Learn to interpret a packet’s structure and each header field’s role can help identify and troubleshoot network issues.
• Use network analysis tools – Various network analysis tools can help analyze network traffic, such as Wireshark, tcpdump, and tshark. These tools can be used to capture, decode, and analyze packets in real time or from saved capture files. Using Wireshark, for example, analysts can filter traffic by IP address, protocol, port, or keyword and analyze packet contents such as payload, headers, and timestamps.
• Practice analyzing network traffic – The best way to improve network traffic analysis skills is by practicing on real-world network traffic data. Sample capture files are obtainable from online resources such as the Wireshark Sample Captures page or by capturing traffic on a test network. Use the traffic to simulate an attack and create detection rules using a NIDS-like snort.
• Learn from online resources – Various online resources provide tutorials, blogs, and videos on network traffic analysis, such as the Wireshark University, PacketTotal, and the SANS Institute. These resources can help budding analysts learn advanced techniques like protocol analysis, network forensics, and malware analysis.

3. Learn Log Analysis

To be effective in their role, SOC analysts need to show proficiency in log analysis. Logs are a critical information source containing a wealth of data about system and network activity, user behavior, and security events. By analyzing logs, SOC analysts can identify suspicious activity, track the spread of malware, and detect potential security incidents.

Log analysis also plays a crucial role in incident response. When a security incident occurs, SOC analysts must investigate it, determine its scope and impact, and identify the root cause. Data captured in logs can help SOC analysts reconstruct the incident timeline, identify the attacker’s entry point, and determine the extent of the compromise.

Analyzing logs will also be required for any in-depth forensic investigations. The analysis involves examining logs generated by various systems and applications to detect anomalies, suspicious activities, and signs of compromise. Experienced analysts can detect events such as failed login attempts, unusual network traffic, and system changes that may indicate a security incident. Below are some methods aspiring analysts can take to improve their log analysis skills:

• Become familiar with log management tools – Log management tools like Splunk, ELK, and Graylog can help analysts to parse, search, and analyze logs. These tools can collect logs from different sources, apply filters and transformations, and visualize log data. Use these tools to view the organization’s security posture comprehensively.
• Learn common log formats – Logs come in a variety of formats. Learning common log formats like Syslog, Apache, and Windows Event Logs will serve to develop a stronger understanding of log data and how to make sense of it.
• Study log analysis, parsing, and search techniques – SOC analysts must have a wide arsenal of knowledge on log analysis techniques such as anomaly detection, correlation analysis, and threat hunting. Also, practice parsing and searching logs with different log management tools and techniques.
• Use regular expressions (Regex) – Regular expressions (regex) are a powerful tool for parsing and searching log data, allowing analysts to extract specific information from logs quickly.
• Filter noise – Logs may contain a lot of noise, such as debug messages, informational messages, or system messages. Filtering out noise helps analysts focus on the essential log data only.
• Use visualization tools – Visualization tools like graphs, charts, and dashboards are useful when trying to understand log data quickly. Utilize any visualization features within log management tools to create graphs or dashboards that show trends or anomalies in log data.
• Stay updated on threat news – Cybersecurity threats and attack techniques constantly evolve. Stay in the know with the latest cybersecurity news and trends. Follow industry blogs, attend webinars, and participate in online communities to stay informed.

4. Learn Endpoint Analysis

In today’s digital landscape, cybercriminals are continually devising new ways to exploit vulnerabilities and launch attacks, and the traditional perimeter-based security model is no longer enough. Security operations centers (SOCs) are at the forefront of identifying and mitigating these threats, and SOC analysts need to be familiar with a variety of tools and techniques to protect their organization’s network and sensitive data. Among these, one of the most critical tools that SOC analysts need to master is endpoint security tools.

Endpoint security tools protect against cyberattacks, focusing on securing endpoints like laptops, desktops, mobile devices, and servers. The endpoint is where an attack usually occurs, and it’s also the entry point for malware and other cyber threats. Endpoint security tools help to identify, isolate, and remediate the threat before it can cause significant damage.

Endpoint security tools in the hands of a knowledgeable SOC analyst can do the following:

• Protect vulnerable endpoints – Attacks on endpoints can result in data breaches, system disruption, and other security incidents. Endpoint security tools help to protect against these attacks by providing real-time visibility and control over devices.
• Perform advanced threat detection – Endpoint security tools use advanced threat detection mechanisms like behavioral analysis, machine learning, and artificial intelligence to detect and respond to threats. These tools can identify and isolate suspicious activities, providing SOC analysts with the information they need to respond to incidents quickly.
• Increase visibility – Endpoint security tools provide SOC analysts with a complete view of endpoint devices, including their applications and processes. This visibility allows analysts to identify vulnerabilities and misconfigurations that cybercriminals could exploit.
• Save time – Endpoint security tools can automate and orchestrate response actions, reducing the time it takes to detect and respond to incidents. This automation helps SOC analysts to focus on high-priority incidents, improving the overall efficiency and effectiveness of the SOC.

There are several endpoint security tools that SOC analysts need to master to protect their organization’s network and sensitive data. The most important of these are:

• Endpoint Detection and Response (EDR) – EDR solutions provide real-time visibility into endpoint devices, enabling SOC analysts to quickly detect and respond to incidents. EDR solutions use advanced threat detection mechanisms like behavioral analysis and machine learning to identify and isolate suspicious activities.
• Antivirus & Anti-Malware – These can help to protect against known threats. These tools use signature-based detection to identify and block known malware and viruses.
• Vulnerability Scanners – These tools scan endpoint devices for vulnerabilities and provide SOC analysts with a list of vulnerabilities that need to be addressed.
• Patch Management Tools – These are vital to keeping endpoint devices up to date with the latest security patches and updates. These tools protect endpoint devices against known or so-called “N-day” vulnerabilities.

Conclusion

The path to mastering the art of SOC analysis begins with these fundamental skills, but it does not end there. In Part 2 of this series, we will cover how analysts can develop further and explore more advanced topics including cloud computing, Active Directory, threat hunting and malware detection.

Armed with a solid understanding of these concepts, new and developing analyts can rapidly learn how to detect intrusions and isolate them before they move deep into a sensitive environment and create long-lasting damage.

A trained and experienced SOC analyst is an invaluable component of today’s cybersecurity defense. To build on the skills we’ve discussed in this post, look out for the next part of this series by subscribing to our email list or following us on social media.

SentinelOne offers robust Managed Detection & Response (MDR), Managed Threat Hunting (MTH), Compromise Assessment and Incident Response Services. To learn more contact us or visit SentinelOne Global Services.

SentinelOne Singularity RemoteOps enables security teams to orchestrate forensics, carry out investigations remotely across multiple endpoints, and respond rapidly at scale. With RemoteOps, security teams are empowered to safeguard their enterprise from complex and time-sensitive cyber threats.

Streamline Security Through RemoteOps Scripts

The ability to run scripts allows incident response teams to efficiently modify tools and collect forensic artifacts – all accelerating the overall investigation and response workflows. The RemoteOps Script Library houses an extensive collection of out-of-the-box scripts available for all platforms including PowerShell for Windows and bash scripts for Linux and macOS.

Using this library, security teams can quickly execute remote scripts either directly from the SentinelOne console or via API to simplify and speed up investigative tasks during active events.

RemoteOps makes it easy to execute tasks via SentinelOne’s agents – at scale, for large sets of endpoints, or targeting only individual endpoints. This has many different uses:

• Extend the SentinelOne platform with literally any custom endpoint action – if you can script it, you can automate it!
• Collect forensic artifacts, like memory dumps or other transient state from an endpoint
• Collect metrics for dashboarding and aggregation with SentinelOne’s PowerQuery language, like graphing the count of endpoints that currently have a process running matching a name
• Provide a library of scripted response actions for defenders, like rolling out a particular patch to an in-house application, deleting a service that matches a name regex, etc
• Perform endpoint scans using open source or 3rd party tools
• Deploy custom 3rd party software or settings to Windows, Linux, or Mac endpoints

Framework Flexibility | Developing Script Actions In Singularity RemoteOps

RemoteOps is a flexible framework allowing security teams to easily create their own scripts tailored specifically for their enterprise’s machines and requirements and run scripts at scale to collect data and deploy a faster response on endpoint events.

Within Singularity, users can develop custom scripts to perform an action or collect structured (e.g., JSON/JSONL, CSV) and unstructured (e.g., files, process dumps) data to the XDR data lake. Custom actions may also include payloads such as binary, additional scripts, installer files, and configuration files.

With all capabilities available in the SentinelOne console, RemoteOps uses role-based access control (RBAC) to determine what tasks can be scheduled, where, and by whom. Further, all actions are audited to ensure the security of the environment.

Case Study | Uploading New Custom Scripts In Singularity RemoteOps

Incident response teams can run or install forensic acquisition tools of their choice when investigating an incident prevented by SentinelOne. RemoteOps allows teams to package their tools, distribute the package across selected endpoints, install, and run it easily.

The below example shows the steps for creating a custom script to deploy the popular open-source forensic tool, Velociraptor.

A PowerShell script such as

$PackageDir = if ($ENV:S1_PACKAGE_DIR_PATH) { $ENV:S1_PACKAGE_DIR_PATH } else { $PSScriptRoot }

$log = Join-Path -Path $ENV:TEMP -ChildPath "velociraptor.install.log"
$msi = Join-Path -Path $PackageDir -ChildPath "velociraptor.msi"

Write-Output "Starting install from '$msi' and logging to '$log'"
Start-Process "msiexec.exe" -ArgumentList @("/i", $msi, "/qn", "/L*v", $log) -Wait -NoNewWindow
Copy-Item (Join-Path -Path $PackageDir -ChildPath "velociraptor.yaml") "C:Program FilesVelociraptorclient.config.yaml" -Force

would deploy Velociraptor from the MSI installer to a Windows system.

Next, simply upload the custom script action and payload to the RemoteOps Script Library.

To schedule installation and execution, users can choose to use saved filters, manual selection, or live queries to run the action on any set of selected endpoints. Agents will then execute actions in parallel.

In addition to running scripts manually, security teams can also schedule script actions for automatic execution (e.g., response to a custom rule detection or threat detection) using Singularity Marketplace apps, or via SentinelOne’s console APIs using any security automation solution.

Conclusion

Delays in the investigation and remediation phase leave enterprises at a higher risk to long-term damage from cyber incidents. With the power of running scripts on millions of endpoints automatically, security teams can collect forensic artifacts valuable for incident investigations and expedite the triage and response processes. Customers can rely on Singularity RemoteOps to create and run complex scripts and commands efficiently to collect the right data and respond remotely to suspicious behaviors.

To learn more about how Singularity RemoteOps can give time back to security teams working against the clock and help alleviate the burden for remote forensic tasks, book a demo today.