As the excitement surrounding the launch of the latest MacBook Pro range featuring the new M4 chip mounts, users of existing hardware have been warned to be aware that hackers are targeting their older devices. Although not something that Apple fans will want to hear, it looks as if the ransomware threat to macOS has started to become more than just fear, uncertainty and doubt. Say hello to NotLockBit.
As The MacBook Pro M4 Hype Continues, Hackers Are Looking To Older Intel Hardware To Attack
A number of reports from different threat intelligence sources have highlighted the fact that macOS malware, specifically ransomware in this case, is firmly on the radar of cyber attackers. Security researchers at Trend Micro were first to sound the alarm concerning a group of threat actors deploying a “fake LockBit” ransomware exploit that included macOS users in its crosshairs. This has now been followed by another report, this time by security researchers with SentinelOne, has detailed how the macOS.NotLockBit malware is deployed.
Interestingly, given that the focus of the media and Mac fans alike is squarely upon when Apple will start selling the latest M4-powered MacBook Pro hardware, NotLockBit targets users of older laptops. “The ransomware is written in Go and is distributed as an x86_64 binary, meaning it will only run on Intel Macs or Apple silicon Macs with the Rosetta emulation software installed,” SentinelOne said. Which doesn’t let new MacBook Pro users off the hook entirely, of course, but it does make for worrying reading if you are still stuck on an Intel device.
Warning that, until now, ransomware threats against users of macOS had been, to be polite, proof of concept exploits rather than real ones, or if they were the latter then “incapable of succeeding at their apparent aim,” according to the SentinelOne researchers, you can sense a big but is coming. But… the latest malware samples analyzed by SentinelOne suggest that threat actors are quickly evolving the macOS ransomware model.
How NotLockBit Malware Attacks Intel MacBook Pro Users
According to the SentinelOne intelligence report, the NotLockBit ransomware gathers system information upon execution, targeting the “System/Library/CoreServices/SystemVersion.plist” property list file in order to grab product name, version and build number. It also queries “sysctl hw.machine” so as to get system architecture data and, finally, “sysctl kern.boottime” for the time since the device was last booted. The security researchers found an embedded public key that enables the potential for asymmetric encryption, “making decryption impossible,” SentinelOne warned, “without access to the private key held by the attacker.” As is typical of modern ransomware, NotLockBit attempts to exfiltrate user data to a remote server.
The good news is that the latest macOS ransomware threat is far from being a done deal as far as achieving its aims is concerned. In all the version software the NotLockBit malware analyzed by SentinelOne, the attack was hindered by the MacBook Pro’s transparency, consent and control protections. Apple says that these protections, known as TCC, require all applications must obtain user consent before accessing files in Documents, Downloads, Desktop, iCloud Drive and network volumes. “In macOS 10.13 or later, apps that require access to the full storage device must be explicitly added in System Settings (macOS 13 or later) or System Preferences (macOS 12 or earlier)” Apple said. Furthermore, accessibility and automation capabilities require user permission to help ensure they don’t circumvent other protections.
That said, according to SentinelOne, “ bypassing TCC is reasonably trivial,” and so it said it expects developments in future versions of the malware to evolve to counter the multiple alerts, all requiring user consent, as the malware “attempts to traverse certain directories and control processes such as System Events.”
Do MacBook Pro Users Need To Worry About Ransomware Right Now?
The truth of the latter is that every user of any computing device, regardless of the operating system it’s running on, needs to be aware of the threat from malware including ransomware. MacBook Pro users are not exempt from being at risk of attack, but mostl;y it’s the phishing thgreat that dominates here. However, the specific threat from ransomware to users of macOS remains both small and unlikely. “It is apparent that threat actors have understood that the double extortion method that works so well on other platforms,” SentinelOne said, “essentially, infostealers combining with file lockers, is equally viable on Apple’s desktop platform.” Indeed, whether the file encryption succeeds or not, SentinelOne warned that threat users can still benefit from stolen data. There aren’t any known victims of NotLockBit, nor distribution methods that have been exploited in the wild. Threat actors will, without doubt, continue to develop the malware just as Apple will continue to evolve protections to mitigate it. I’d say let MacBook Pro fans stay excited about the new M4-powered devices coming soon, but with one eye open to security threats as everyone should have.