K7 Labs malware researcher Dinesh Devadoss discovered a new form of malware aimed at Mac computers. ThiefQuest (originally dubbed EvilQuest, until researchers discovered that’s the name of a Steam game) isn’t simply ransomware but also contains spyware that allows it to exfiltrate an infected computer’s files, search it for passwords and cryptocurrency wallet data, and nab passwords and credit card numbers. Even after a computer reboots, the spyware lingers as a backdoor that could be used for a second-stage attack.
Wired reports that, according to Jamf principal security researcher Patrick Wardle, his “current gut feeling about all of this is that someone basically was designing a piece of Mac malware that would give them the ability to completely remotely control an infected system … and then they also added some ransomware capability as a way to make extra money.” The malware is currently infecting computers via pirated, unvetted software.
Malwarebytes director of Mac & mobile platforms Thomas Reed reported that, “ThiefQuest is being distributed on torrent sites bundled with name-brand software, like the security application Little Snitch, DJ software Mixed In Key, and music production platform Ableton.”
For a Mac to become infected, the user would “need to torrent a compromised installer and then dismiss a series of warnings from Apple in order to run it.” Researchers revealed that, “it doesn’t seem to have a significant number of downloads, and no one has paid a ransom to the Bitcoin address the attackers provide.”
The ransomware component “only lists a static Bitcoin address where victims can send money … [and] given Bitcoin’s anonymity features, attackers who intended to decrypt a victim’s systems upon receiving payment would have no way to tell who had paid already and who hadn’t.”
The note also doesn’t “list an email address that victims can use to correspond with the attackers about receiving a decryption key — another sign that the malware may not actually be intended as ransomware.” Wired adds that, “perhaps the malware is using ransomware’s hallmark file encryption as a destructive tool in an attempt to permanently lock users out of their computers. Or maybe ThiefQuest is just looking to get as much money out of victims as possible.”
9to5Mac reports that ThiefQuest was “first found in a pirate copy of the Little Snitch app available on a Russian forum with torrent links … [adding that] the downloaded app comes with a PKG installer file, unlike its original version.” Malwarebytes learned that the PKG file includes a “postinstall script” that implements the malware in macOS. In Little Snitch, it was copied to a folder under the name CrashReporter, similar to the name of an internal macOS app.
The malware “causes the Finder not to work properly and the system crashes constantly … [and] even the system’s Keychain gets corrupted, so it’s impossible to access passwords and certificates saved on the Mac.” It adds that, “there’s still no way to get rid of malware after it has encrypted the files without formatting the entire disk.”