On Sunday 28 June, K7 Lab’s malware researcher Dinesh Devadoss wrote on Twitter about a new malware program that is not yet being detected by any antivirus engines. The Malware was initially named EvilQuest but has since been renamed ThiefQuest to avoid confusion with the game EvilQuest.
#macOS #ransomware impersonating as Google Software Update program with zero detection. MD5: 522962021E383C44AFBD0BC788CF6DA3 6D1A07F57DA74F474B050228C6422790 98638D7CD7FE750B6EAB5B46FF102ABD @philofishal @patrickwardle @thomasareed pic.twitter.com/r5tkmfzmFT
— Dinesh_Devadoss (@dineshdina04) June 29, 2020
Thomas Reed of Malwarebytes discovered that the malicious code had been spread in pirated Mac programs on a Russian torrent forum Rutracker. Most notably it has been found in an infected copy of Little Snitch – a program that, ironically, is usually used to protect users from malicious activity. Evilquest has also been found in DJ software Mixed In Key 8 and a Google Software Update.
The program installs itself in several places in the system and tries to hide behind names like “com.apple.questd” and “CrashReporter”. If you install it on your computer it will begin encrypting files. Some time later you will see a blackmail message asking for $50 bitcoin to decrypt your files.
According to research by Reed, the software installs a legitimate version of Little Snitch and at the same time loads an executable file “patch” that installs the actual malware. After installing there will be a delay of three days so that the user does not associate any problems with the just installed program. Then after three days have passed the malware began to encrypt files and after that it will demand a ransom. Reed also found traces of a keylogger that registers all keystrokes.
However, it seems that the malware doesn’t actually work that well. The security researcher reported that problems occurred during installation. He also suggested that the authors of the malware are not very familiar with the Mac file structure, because keychain data and settings data were also encrypted, which lead to prominent error messages. Forum users reported that they received the ransom note, but Reed actually failed to get his variant of the malware to run.
It is possible that the reason why Reed was unable to get the malware to run was because it won’t run if it is it detects that it is being run on a security testing environment – such as being installed on a virtual machine. It also won’t run if it detects that there are security tools or antivirus programs running on the computer. However, it also seems that the code is designed to hide certain features while making others visible.
There are a few theories about why this is the case. One theory, put forward by Bleeping Computer, is that the ransomware element of this malware is actually a decoy for its real purpose. “We believe that the ransomware is simply a decoy for the true purpose of this malware”, according to the security experts at Bleeping Computer.
It is thought that the malware starts by stealing files from your computer before it sets about encrypting your system. The ransomware demand seems to be more of an afterthought. In fact, the demand that the user pay $50 in bitcoins means that there would be no way to prove that you had paid as bitcoin is anonymous. Nor is there an email address to liaise with the blackmailers.
Apparently some Python scripts hidden in the malware search for files such as Word, Pages, SSL certificates, and then copies them to a remote server. The list of searched data extensions looks includes text files, images, Word documents, SSL certificates, code-signing certificates, source code, projects, backups, spreadsheets, presentations, databases, and cryptocurrency wallets, including:
.pdf, .doc, .jpg, .txt, .pages, .pem, .cer, .crt, .php, .py, .h, .m, .hpp, .cpp, .cs, .pl, .p, .p3, .html, .webarchive, .zip, .xsl, .xslx, .docx, .ppt, .pptx, .keynote, .js, .sqlite3, .wallet, .dat
What to do
Obvioulsy the best way to protect yourself from this and other malware is to only download software from a legitimate source. Ideally only download from the Mac App Store. Failing that verify that the site is that of the developer. Luckily Apple has a number of measures built in to make it difficult to install software that isn’t from a recognised developer, but it is possible to bypass these (and malware has been known to walk people thought the necessary steps to do so).
Bleeping Computer suggests you could install Wardle’s free RansomWhere utility, which detects ThiefQuest.
We have this guide to what to do if you experience a ransomware attack here.
If you’re looking for AV buying advice, read our roundup of the Best Mac antivirus and Do Macs get viruses?; general advice can be found in our Mac security tips; and those who think they have been hit by a virus should try How to remove Mac viruses. We also have a full list of Mac viruses here.
Parts of this article were translated from Macworld Sweden and Macwelt by Karen Haslam.