A new data cleaning and information theft program called EvilQuest uses ransomware as bait to steal Mac files. Victims become infected after receiving trojanized installers of popular applications from torrent monitoring programs.
While not uncommon, ransomware has been known to target the macOS platform in the past, with KeRanger, FileCoder (aka Findzip) and Patcher being three other examples of malware designed to encrypt Mac systems.
EvilQuest was first spotted by K7 Lab malware researcher Dinesh Devadoss and analyzed by Malwarebytes Mac & Mobile Director Thomas Reed, Jamf lead researcher Patrick Wardle and BleepingComputer Lawrence Abrams.
Install a keylogger and open a "reverse shell"
Devadoss has discovered that EvilQuest includes the ability to check if it is running on a virtual machine and has the ability to detect errors.
It also controls some common security tools (Little Snitch) and antimalware solutions (Kaspersky, Norton, Avast, DrWeb, Mcaffee, Bitdefender and Bullguard) and opens a "reverse shell" used to communicate with command-and-control (C2) server as identified by Felix Seele.
Malware will be linked to http: //andrewka6.pythonanywhere [.] Com / ret.txt to receive IP address from server C2 to download further files and send data.
As Reed found after examining the ransomware, EvilQuest is transported using infected installers.
Although .PKG installers downloaded from popular torrent sites look like any legitimate installation program when they start, they are distributed as DMG files and do not have a custom icon which is a warning sign that something is not right for many macOS users.
Reed also found that, in the case of one of the EvilQuest samples analyzed, the packages of the compressed program files include the original installers and their uninstallation programs. pirated applications, along with a malicious binary patch and a script used to start the installation program and boot the malware.
After acquiring persistence on the infected device, EvilQuest launches a backup and starts encrypting files that add a BEBABEDD indicator at the end.
Unlike Windows ransomware, EvilQuest has problems when encrypting files. When it does, it is not selective.
It seems to lock the files randomly, creating various issues in the compromised system from encrypting the "login keychain" to restoring the Dock to its default appearance and causing the Finder to freeze.
"Once the file encryption is complete, it creates a text file called READ_ME_NOW.txt with the ransom instructions," Wardle added.
Victims are required to pay a $ 50 ransom on bitcoin within three days (72 hours) to recover encrypted files their.
EvilQuest uses the same static address Bitcoin for all victims and does not contain an email for communication after the payment has been made.
This makes it impossible for the attackers to locate the victims who paid the ransom and for one victim to contact the ransomware operators for one decryptor.
Wipers, however, are commonly used as a cover for another malicious activity.
Malicious cleaning software used to steal data
After analyzing the malware we believe that ransomware is just a bait for the real purpose of this malware.
That is, to search and steal certain types of files from the infected computer.
The tasks performed with the above command are:
- Delete files /Users/user1/client/exec.command and /Users/user1/client/click.js.
- Download and install PIP
- Install Python requests
- Download p.gif, which is a Python file and run it.
- Download pct.gif, which is another Python file and run it.
The p.gif file is a very vague Python script and we could not determine which is Functionality of.
What should victims do?
As you can see, the EvilQuest wiper is much more harmful than the first thought, as not only will the data be encrypted, but it may not be decrypted even if the victim pays.
To make matters worse, malware will steal files from your computer that contain sensitive information that could be used for various malicious purposes, such as identity theft, collection passwords and theft of private keys and security certificates.
If your Mac is infected with this malware, you should assume that any files corresponding to the reported extensions have been stolen or tampered with in some way.