Saturday, January 23, 11:06
Home security ThiefQuest: Removed ransomware functionality from Mac malware

ThiefQuest: Removed ransomware functionality from Mac malware

The group behind Mac malware, which is known by the name ThiefQuest, continues to enhance and improve its creation, while researchers have noticed that the latest versions of this threat do not include ransomware functionality. First seen in late June, ThiefQuest, also known as EvilQuest, initially appeared to be a piece of ransomware, but a detailed analysis indicated that it also allowed its operators to steal data and take full control of an infected device. In addition, the researchers observed that the ransomware functionality was deficient and that the main purpose of the malware may have been to prevent the threat agents from making a profit from the ransomware. ransom paid by the victims.

ThiefQuest Mac malware

It seems that hackers of ThiefQuest did not take into account the recovery of encrypted files, yet they did not make much effort to ensure that encrypted files could not be recovered, allowing the SentinelOne develop a tool that enables victims to recover archives.

Although the capabilities of ransomware may not stand out, ThiefQuest allows its operators to steal various types of information, including images, documents, databases. data, source code, encryption keys and encryption wallets.

Trend Micro researchers analyzed many samples of Mac malware and noticed that its creators continue to make changes and improvements. In particular, they found that the latter variations of ThiefQuest do not include file encryption features and that the malware no longer leaves a ransom note. It is worth noting that the initial versions of the malware, which were first observed in early June, focused on providing features backdoor, while ransomware functionality was applied only to the second and third generation. However, the fourth generation, which appeared in early July, does not include ransomware capabilities.

Trend Micro researchers, on the other hand, have noticed a new feature that allows malware to execute images and audio files using the default applications macOS. This may indicate that the creators of ThiefQuest plan to restore ransomware functionality, as previous variants of the threat displayed a ransom note in a window and used the ability to talk to MacOS to read it to the targeted victims. The new features could be used for similar purposes in the future.


Other changes identified by Trend Micro in more recent versions of ThiefQuest are related to reading payload, compression and decompression, creation of IP addresses for C&C server and changes to filenames and server subdomain names.

The creators of ThiefQuest have also made some improvements to the functionality designed to determine if the malware is running in an analysis environment, which should prevent researchers from analyzing ThiefQuest. Finally, the malware checks the compromised system for the presence of security products and in case it finds such products, it tries to terminate them.


Please enter your comment!
Please enter your name here

Every accomplishment starts with the decision to try.


Intel CPUs Review: Core i7-10700 vs Core i7-10700K!

Over the years, the Intel series of processors (CPUs) introduced the series of overclocking models "K" and more recently the series ...

The DeLorean can return as an electric car

The DMC DeLorean has been out of production for almost 40 years, but it looks like the iconic vehicle will return as an electric car.

Windows RDP servers are used to support DDoS

Cybercrime gangs are abusing Windows Remote Desktop Protocol (RDP) systems to reinforce the unwanted ...

SEPA: He refused to pay a ransom and thousands of files were leaked

Thousands of stolen files of the Scottish Environmental Protection Agency (SEPA) have been published by hackers, after the organization refused to pay the ransom ...

Fines at Valve, Capcom and Zenimax for geo-exclusion of games

Following a European Commission investigation, a group of video game publishers was fined € 7,8 million following allegations of geo-exclusion practices. In...

Bitcoin helps the middle class survive the pandemic

Regulators still imply that Bitcoin is just a tool for criminals, but it seems that for the middle class ...

Lightworks 2021.1 for Linux, Mac and Windows has been released

Lightworks Professional Multi-Platform Video Editing Software received the first major update to Lightworks 2021.1 for Windows, Linux and Mac.

Netflix: Watch the 9 best Anime movies of all time

One of the good things about the pandemic was that many people were introduced to the anime world. And the issue with anime is ...

CHwapi: Windows BitLocker "hit" the Belgian hospital!

The CHwapi hospital in Belgium was attacked by a cyber attack on January 17, with hackers claiming to have encrypted 40 servers and 100 ...

CPU / GPU Lotteries: Newegg sells the few on the market

Hardware shortages are not uncommon, but the pandemic has worsened the situation. The whole planet is closed to ...