ThiefQuest is Targeting Macs

7226718075?profile=RESIZE_400xMac devices are currently targeted by new ransomware, which is more sinister than before.  But its true purpose may be hidden.  According to Arstechnica's latest report, the new Mac ransomware is called ThiefQuest or EvilQuest.  It is a data wiper and info-stealer that is using ransomware as a decoy.  It is more dangerous because it steals credit card numbers and passwords.  The victims get infected after downloading trojanized installers of popular apps from torrent trackers.

While not common, ransomware has been known to target the macOS platform in the past, with KeRangerFileCoder (aka Findzip), and Patcher being three other examples of malware designed to encrypt Mac systems. Since the first full-fledged Mac ransomware appeared only four years ago, there have not been too many strains explicitly developed to attack Apple's Mac computers. However, the danger of ransomware may seem ubiquitous. Mac ransomware's danger became more sinister after the findings of a new Mac ransomware were published on 30 June 2020, by Dinesh Devadoss, a malware researcher at firm K7 Lab.

Devadoss discovered that ThiefQuest includes the capability to check if it is running in a virtual machine (more of a sandbox check), and it features anti-debug capabilities. It also checks for some common security tools (Little Snitch) and antimalware solutions (Kaspersky, Norton, Avast, DrWeb, Mcaffee, Bitdefender, and Bullguard) and opens a reverse shell used for communication with its command-and-control (C2) server as VMRay. The malware will connect to http://andrewka6.pythonanywhere[.]com/ret.txt to get the IP address of the C2 server to download further files and send data. Armed with these capabilities the attacker can maintain full control over an infected host.

Devadoss also posted the findings on his Twitter account @dineshdina04; “Showing how the new Mac ransomware gets more interesting.  The ransomware, which was originally named as EvilQuest, was changed to ThiefQuest after the security researchers discovered the Steam game series of the same name.”

According to the report, ThiefQuest has a whole other set of spyware abilities that allow it to search the system for cryptocurrency wallet data and passwords, as well as exfiltrate files from an infected device or computer.  It can also run a robust keylogger to steal credit card numbers, passwords, or other financial information as an individual type it in the device.

According to Arstechnica, the new Mac ransomware can remain active even after the computer reboots, by lurking persistently as a backdoor on infected devices.  This may be used for additional or second stage attacks as a launch pad.

The report clarified that ThiefQuest can only infect your Mac device if a pirated, unvetted software or application is installed.  The director of Mac and mobile platforms at the security firm Malwarebytes, Thomas Reed, found out that torrent sites are used to distribute ThiefQuest bundled with name-brand software, like the security app Little Snitch, music production platform Ableton, and DJ software Mixed in Key.

The victims are asked to pay a $50 ransom in bitcoins within three days (72 hours) to recover their encrypted files and are directed to read a ransom note saved on their desktops.  Suspiciously, ThiefQuest is using the same static Bitcoin address for all victims and does not contain an email address to contact after payment has been made.  This makes it impossible for the attackers to identify victims who paid the ransom, and for a victim to contact the ransomware operators for a decryptor.  Combining a static Bitcoin address with a lack of contact methods is a strong indication that the ransomware is a wiper instead.  Wipers, though, are usually used as a cover for some other malicious activity.

Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives.  Internal monitoring is common practice.  However, external threats are often overlooked and can represent an early warning of impending attacks.

Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.

Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com

 

TR-20-217-002_ThiefQuest.pdf

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!