EvilQuest macOS Ransomware: A Smokescreen for Other Threats

The COVID-19 crisis has witnessed ample of cyberattacks. Ransomware is the most rampant threat organisations, and individuals are facing worldwide. This time threat actors targeted MacOS systems with ransomware used as a smokescreen to execute other malicious activities. Dubbed as EvilQuest by researchers, the malware spreads through pirated Mac applications and exfiltrates sensitive information including cryptocurrency wallets, files with specific extensions. Also, it encrypts documents, data, and images on the host systems.
Malware campaigns less likely target Mac systems. Windows machines are easy targets as Windows has a considerate market share as compared to Mac. Moreover, a single designed malware can affect millions of system at once by crawling through the network in Windows. And this is less likely the case with Mac systems due to less market share and comparatively low number of targets. Many people have the notion of MacOS being invulnerable to malware or notorious cyber practice. But that is not the case.
Although it is the fourth ransomware attack Mac security experts have encountered since the first three in 2016 and 2017(KeRanger, FindZip and MacRansom), this indicates that threats against Mac systems are also on an upsurge. In fact, in 2020 macOS has outpaced Windows in terms of the number of threats detected. Researcher Tom Reed at Malwarebytes says that EvilQuest is first of its kind malware targeting macOS.

About EvilQuest

Security experts traced the ransomware in late June 2020. Dubbed as EvilQuest(and later as ThiefQuest), the malware uses a cover to execute other notorious activities in the host computer. The malware also can deploy keylogger and steal crypto-wallets.
The researchers first spotted the ransomware impersonating Google Software Update program. A suspicious Little Snitch installer on a Russian forum dedicated for torrent links was found. The driver contained not only the malware but also ransomware crafted to infect the macOS landscape by spreading through piracy. The malware is injected in systems through pirate versions of popular mac software like Little Snitch, Ableton Live, and Mixed in Key.
Apart from demanding a small ransom of $50 in Bitcoins, the EvilQuest also employs techniques to get hold of other activities in the host system. The malware can see whether the compromised system has a virtual machine on it and also can get information about the antivirus running on the system. This helps in implementing persistence tricks.
Furthermore, the ransomware also deploys other advanced tools to record users’ activities and exfiltrate a large amount of data.

Working as a smokescreen

In some cases, the malware has turned out to be a bit buggy to function properly. But, when it does, it encrypts system files and displays a ransom note for the victim.
But this functionality of ransomware is used as a cover for other malicious scripts that run in the background. The injected malware also contains keylogger and a reverse shell, as mentioned earlier.
Ransom Note through EvilQuest
Ransom Note through EvilQuest
Moreover, the ransom note displayed after encrypting files on the system contains no instructions for the victims to contact the threat actors after paying the ransom. And the bitcoin wallet address for all target was same. This cannot allow hackers to know which victim has paid. This is weird and suspicious as there are bleak chances that attackers will decrypt files after receiving the ransom.
This springs the possibility that EvilQuest is just more than ransomware. The dumped keylogger is used to record users’ keystrokes and the reverse shell allows attackers to run custom commands to steal sensitive information from files of specific extensions like crypto-wallets and code-signing certificates.

Exfiltration Data

The attacker establishes a connection with the compromised system through command-and-control (C2) server. Every transmitted signal contains two pieces of information. The first one contains a file path to a file on the victim’s system and the other file is a BASE-64 encoded string containing the contents of the file. A Python file controls the exfiltration process. This file hides in the system and contains the extensions of the files which have to be stolen.
Targeted extensions
Targeted extensions
Researchers consider it one of the most unique way of exploiting mac systems. On top of it, EvilQuest introduces a new class of malware that interestingly targets macOS.

Precautions for Mac Users

  • As there are bleak chances that the threat attackers will decrypt your files after paying the ransom, it may be possible that you may never be able to decrypt your files ever. It is always important to maintain multiple back-ups of your files and other sensitive information. And sure at least one of them is not linked with your mac machine. Use Time Machine to maintain a couple, and Carbon Copy Cloner to maintain a couple more.
  • If you are infected by the EvilQuest(ThiefQuest) malware, Malwarebytes for Mac will detect this malware as OSX.ThiefQuest and remove it.
  • The malware is spread through pirated software. It is always less likely that genuine software is compromised. Thus always install genuine software.
The notions that MacOS is invulnerable to malware and virus attacks is wrong. Mac machines have seen a 400% increase in cyber threats from 2018. So keep ourself updated and remain safe.

- Advertisement -

Ayush Dubey
Ayush Dubeyhttps://ayush7ad6.wordpress.com/
Ayush Dubey is an engineering student from IIIT Jabalpur. He has a comprehensive background in technology. Cybersecurity being his primary field of interest. He loves to meet people who are always in a hustle to learn new things.

- Advertisement -

Latest articles

Related articles