New Mac Ransomware Is Even More Sinister Than It Appears:
THE THREAT OF ransomware may seem ubiquitous, but there haven't been too many strains tailored specifically to infect Apple's Mac computers since the first full-fledged Mac ransomware surfaced only four years ago. So when Dinesh Devadoss, a malware researcher at the firm K7 Lab, published findings on Tuesday about a new example of Mac ransomware, that fact alone was significant. It turns out, though, that the malware, which researchers are now calling ThiefQuest, gets more interesting from there. (Researchers originally dubbed it EvilQuest, until they discovered the Steam game series of the same name.)
In addition to ransomware, ThiefQuest has a whole other set of spyware capabilities that allow it to exfiltrate files from an infected computer, search the system for passwords and cryptocurrency wallet data, and run a robust keylogger to grab passwords, credit card numbers, or other financial information as a user types it in. The spyware component also lurks persistently as a backdoor on infected devices, meaning it sticks around even after a computer reboots, and could be used as a launchpad for additional, or "second stage," attacks. Given that ransomware is so rare on Macs to begin with, this one-two punch is especially noteworthy.
"Looking at the code, if you split the ransomware logic from all the other backdoor logic the two pieces completely make sense as individual malware. But compiling them together you're kind of like what?" says Patrick Wardle, principal security researcher at the Mac management firm Jamf. "My current gut feeling about all of this is that someone basically was designing a piece of Mac malware that would give them the ability to completely remotely control an infected system. And then they also added some ransomware capability as a way to make extra money."
Though ThiefQuest is packed with menacing features, it's unlikely to infect your Mac anytime soon unless you download pirated, unvetted software. Thomas Reed, director of Mac and mobile platforms at the security firm Malwarebytes, found that ThiefQuest is being distributed on torrent sites bundled with name-brand software, like the security application Little Snitch, DJ software Mixed In Key, and music production platform Ableton. K7's Devadoss notes that the malware itself is designed to look like a "Google Software Update program." So far, though, the researchers say that it doesn't seem to have a significant number of downloads, and no one has paid a ransom to the Bitcoin address the attackers provide.
For your Mac to become infected, you would need to torrent a compromised installer and then dismiss a series of warnings from Apple in order to run it. It's a good reminder to get your software from trustworthy sources, like developers whose code is "signed" by Apple to prove its legitimacy, or from Apple's App Store itself. But if you're someone who already torrents programs and is used to ignoring Apple's flags, ThiefQuest illustrates the risks of that approach.
Further details at Security Week, Bleeping Computer, and Malwarebytes.
Related Stories
Free Tool Enables Recovery of Files Encrypted by ThiefQuest Mac Malware:
Researchers at endpoint security company SentinelOne have created a tool that enables users to recover files encrypted by the Mac malware named ThiefQuest, which poses as ransomware.
ThiefQuest, initially named EvilQuest, is designed to encrypt files on compromised systems, but also allows its operators to log keystrokes, steal files, and take full control of the infected device.
[...] ThiefQuest is delivered as trojanized installers for macOS applications such as the Ableton and Mixed in Key DJ apps and the Little Snitch firewall. Once the malware has been installed, it starts encrypting files found on the device, after which it informs victims, via text files and a modal window, that their files have been encrypted and a $50 ransom needs to be paid in bitcoin to recover them.
[...] Furthermore, Apple security expert Patrick Wardle noticed that the decryption routine is not called anywhere in the malware code, which indicates that it never gets executed. Malwarebytes researchers pointed out that the malware doesn't always encrypt files, even if it claims it has done so, which further indicates that the ransomware capabilities are just a distraction.
For Mac users whose files have been encrypted by the malware, SentinelOne has released a free decryption tool. The company's researchers analyzed ThiefQuest and noticed that its developer left the decryption function in the malware code. Once they were able to recover the key needed to decrypt the files, they used the malware's own decryption function to restore encrypted files.
[...] Wardle's analysis of the threat revealed that it also looks for executable files and adds malicious code to those files. This would allow it to spread like a virus, which is highly uncommon for Mac malware.
Previously:
(2020-07-05) New Mac Ransomware is Even More Sinister than it Appears
(Score: 0) by Anonymous Coward on Monday July 06 2020, @12:30AM
It's the appy app from your fave TLA.
(Score: 0) by Anonymous Coward on Monday July 06 2020, @12:33AM (3 children)
She was just telling us the other day how wonderful Mac was.
Enjoy your malware, suckers.
(Score: -1, Offtopic) by Anonymous Coward on Monday July 06 2020, @01:02AM
She was also just telling us the other day how the protesters practiced safe distancing and wore masks. I guess that's what you believe if the only news channel you watch is anchored by Teletubbies.
(Score: 5, Informative) by agr on Monday July 06 2020, @02:06AM (1 child)
“For your Mac to become infected, you would need to torrent a compromised installer and then dismiss a series of warnings from Apple in order to run it.”
(Score: 3, Insightful) by Mykl on Monday July 06 2020, @08:15AM
Yeah, I'm not losing too much sleep over this one.
Call me when it just requires visiting a compromised site.