![ehat is mac file encryption ehat is mac file encryption](https://miro.medium.com/max/1400/1*q7zFSRDkPiwY59lRT8XxkA.png)
This function takes two parameters: a file location and a seed value that will be used to decode the onboard file key.Īfter checking if the file is an encrypted file by examining the last 4 bytes, the function begins reading a structure of data from the end of the file.įollowing the code execution, we can statically rebuild a version of what this structure might look like: struct data Reversing the File Encryptionįortunately, we don’t have to reverse that much as the actor has left the decryption function, uncarve_target, in the code. Taking a look at a completely encrypted file shows that a block of data has been appended to it. This means that the clear text key used for encoding the file encryption key ends up being appended to the encoded file encryption key.
![ehat is mac file encryption ehat is mac file encryption](https://www.backblaze.com/blog/wp-content/uploads/2016/06/filevault.jpg)
The calculations then used for encoding the key end up performing the loop 4 extra times, producing 132 bytes. The key generated is 128 bytes, as we previously mentioned. The encoding routine is simply a ROL-based XOR loop:Īt this point, we can see that something interesting happens, and I am unsure if it is intentional by the developer or not. A DWORD value will be generated and utilized. This function is the key expansion portion followed by tp_encrypt, which takes the expanded key and uses it to encrypt the data.įollowing this, the key will then be encoded, using time as a seed. If the test fails, then file encryption begins by generating a 128 byte key and calling the tpcrypt function, which basically ends up calling generate_xkey. Uncarving the Encryption RoutineĪs mentioned in other reports, the function responsible for file encryption is labelled internally as carve_target.īefore encrypting the file, the function checks whether the file is already encrypted by comparing the last 4 bytes of the file to a hardcoded DWORD value.
![ehat is mac file encryption ehat is mac file encryption](https://www.cultofmac.com/ezoimgfmt/cdn.cultofmac.com/wp-content/uploads/2019/01/Kruptos.jpg)
As a result, our team created a decryptor for public use.
Ehat is mac file encryption how to#
The possible usage of RC2 and time-based seeds for file encryption led me to look deeper at the code, which allowed me to understand how to break the malware’s encryption routine. At least part of it uses a table normally associated with RC2. A cursory inspection of the malware code suggests that it is not related to public key encryption. Of particular interest from a research perspective is the custom encryption routine. The malware exhibits multiple behaviors, including file encryption, data exfiltration and keylogging. Researchers recently uncovered a new macOS malware threat, initially dubbed ‘EvilQuest’ and later ‘ThiefQuest'. SentinelLabs has released a public decryptor for use with “EvilQuest” encrypted files.The routine appears to be partly based on RC2 rather than public key encryption.A new macOS ransomware threat uses a custom file encryption routine.