A new piece of ransomware dubbed EvilQuest (aka ThiefQuest) is being delivered bundled up with pirated versions of popular macOS software, researchers warned.
But the ransomware is also a smokescreen, as its “noisiness” is meant to hide other things happening on the system in the background: the installation of a keylogger and a reverse shell, and the exfiltration of files that contain valuable information (keys to cryptocurrency wallets, code-signing certificates, and more).
First spotted in late June, the EvilQuest macOS ransomware has now been analyzed by a slew of threat researchers.
Dinesh_Devadoss , a malware researcher with K7 Lab, spotted the ransomware impersonating the Google Software Update program. Thomas Reed, Director of Mac & Mobile at Malwarebytes, found it on popular torrent sites, injected in installers wrapping pirated versions of popular macOS software such as Little Snitch, Ableton Live, and Mixed in Key.
The malware is able to see whether its running in a virtual machine, whether there are security and antivirus solutions running on the system, and to implement several persistence tricks.
In some cases, the malware turned out to be too buggy to run properly, but when it does, it encrypts random files and shows the ransom note.
The fact that the note contains no contact information for victims to get in touch with the attacker once they pay the ransom made researchers believe that this might be just a smokescreen.
They subsequently discovered they were right: aside from the ransomware component, the malicious installers also download a keylogger and open a reverse shell on the target computer, so that the attacker can continue to access it and steal sensitive information users enter with the keyboard.
Finally, the malware attempts to exfiltrate files with a variety of extensions:
Prevention and remediation
A variety of macOS antimalware solutions now detect this malware and remove it. “The reverse shell and keylogger functionality are all part of the same executable file, and thus will be removed when the malware is removed by Malwarebytes,” Reed told Help Net Security.
Wardle’s RansomWhere? utility detects and stops malicious encryption processes.
For those who got infected, the danger is great: they might lose important files if they don’t have separate backups (there is no indication that the files can be decrypted or that the attacker means to decrypt them even if the victim pays the ransom), but they have also lost control of sensitive information contained in exfiltrated files, and may end up losing control of accounts, cryptocurrency wallets, etc.
UPDATE (July 8, 2020, 1:15 a.m. PT):
SentinelOne has released an EvilQuest decryptor. A demonstration on how to use it is available here. Keep in mind that you still have to clean up your computer afterwards – this will only decrypt the encrypted files.