Thanks to Xinran Wu of SophosLabs for his behind-the-scenes work on this article.
(With apologies to Oscar Wilde.)
The first time it happened to popular BitTorrent client Transmission was back in March 2016.
For a short while, the Mac version of Transmission 2.90 on the official download site was a not-so-official version that had some secret sauce of its own: OS X ransomware called OSX/KeRanger-A.
This time, for less than 24 hours on 28 August 2016 and 29 August 2016, a bogus version of Transmission 2.92 was uploaded that contained malware known as OSX/PWSSync-B.
Ironically, the main feature added when 2.92 was released, and the main reason you might have updated, was to a malware removal utility for KeRanger, in case you had a leftover infection from the hacked 2.90 version:
PWS, by the way, is short for password stealer, so you can guess the primary function of the malware; it is also known as “Keydnap”, a name that explains itself (say it out loud quickly).
The hack that was applied to the Transmission app this time is very similar to the previous attack.
The hacked Transmission program itself contains only a tiny change: a small snippet of code added at the start that loads a file called
License.rtf that is packaged into the application bundle. (Last time, the sneaky extra file was
Transmission’s hacked startup code loads
License.rtf from the
License.rtf sounds innocent enough – what software doesn’t include a licensing document somewhere? – and opening it seems equally reasonable.
Except that this
License isn’t what it seems.
It’s actually an OS X executable (program file) that:
- Configures itself as an OS X LaunchAgent so that it runs automatically every time you reboot or logon.
- Steals passwords and other credentials from your OS X Keychain, the Mac’s built-in password manager.
- Calls home to download additional scripts to run.
As an aside, don’t forget that before ransomware grabbed the headlines, with its laser-like focus on scrambling your data quickly to provoke prompt payment, most malware included a zombie or bot component like the third item above.
So, don’t forget that even though the credential-grabbing part of OSX/PWSSync-B is bad enough on its own…
…malware that includes a “download new stuff and run it” function can, rather obviously, be updated at any time to commit any additional cybercrimes that its botmaster might decide upon.
Transmission.app package is digitally signed, so if you run it you won’t see an “unknown developer” warning, but the signature doesn’t identify the developer you’d expect for a legitimate Transmission file:
FAKE APP (AUGUST 2016): Identifier=org.m0k.transmission Authority=Developer ID Application: Shaderkin Igor (836QJ8VMCQ) Authority=Developer ID Certification Authority Authority=Apple Root CA Signed Time=Aug 28, 2016, 5:09:55 PM TeamIdentifier=836QJ8VMCQ REAL APP: Identifier=org.m0k.transmission Authority=Developer ID Application: Digital Ignition LLC Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=6 Mar 2016, 20:01:41 TeamIdentifier=5DPYRBHEAR
If you’re comfortable using a bash prompt, you can extract the details shown above, and more, from any Mac app by using the command
codesign --details --verbose=4 Nameofthe.app.
Just for interest, here is the developer’s signature from the last time Transmission was hacked:
FAKE APP (MARCH 2016): Identifier=org.m0k.transmission Authority=Developer ID Application: POLISAN BOYA SANAYI VE TICARET ANONIM SIRKETI (Z7276PX673) Authority=Developer ID Certification Authority Authority=Apple Root CA Signed Time=Mar 4, 2016, 9:36:28 PM TeamIdentifier=Z7276PX673
What to do?
If you’re a Windows user, you may stop right here: for once, you have the minor luxury of a malware attack that doesn’t apply to you!
This vector of infection only applies if you:
- Have a Mac running OS X.
- Downloaded the Transmission 2.92 BitTorrent client on 28 or 29 August 2016.
- Actually ran the booby-trapped Transmission app you downloaded.
If you think you may be at risk, or if you want to check your Mac anyway, just to make sure, you can use our 100% free Sophos Home product.
Sophos detects these malware components as OSX/PWSSync-B and OSX/PWSSync-E.