Computer Security New ThiefQuest Mac Ransomware Has More to It Than Meets...

New ThiefQuest Mac Ransomware Has More to It Than Meets the Eye

mac ransomwareThe threat of ransomware is nearly everywhere nowadays, but most of the strains are aimed to affect non-Apple machines still. Despite the first full Mac ransomware appearing four years ago, there haven't been many new threats aiming at Apple products, compared to the rest. The ThiefQuest malware is a newcomer to the field and fundamentally another name for the EvilQuest threat. ThiefQuest is one that has multiple capabilities that make it more interesting than previous Mac malware.

The ThiefQuest ransomware has a new set of spyware capabilities that allow it to pull files from infected computers, look for passwords and cryptocurrency data, run a keylogger to steal passwords, sensitive information or banking data. The spyware components of ThiefQuest sticks around as a backdoor to infected devices, meaning it stays active after computer reboots and may be used for second stage attacks. Considering the rarity of malware on Macs, this development shows a new era may be just around the corner.

According to the Mac management company Jamf researcher Patrick Wardle, if the ransomware and backdoor logic are split, it makes sense that they are individual malware. Compiling them together, however, shows that someone was designing a piece of malware that allows them to completely remotely control an infected Mac system. The ransomware was added as a way of making more money, Wardle added.

Although ThiefQuest has plenty of dangerous features, it is unlikely to infect a Mac machine that has no pirated and illegal software. ThiefQuest is being distributed on torrent websites bundled with legal software, specifically the security app Little Snitch, DJ software Mixed In Key, and more. The malware is made to resemble a Google software update program, with researchers saying it didn't see a major number of downloads, with no payments to the Bitcoin address provided by the attackers.

For a Mac to become infected, users would need to download a compromised installer, then dismiss a number of warnings from Apple software to run it. Ensuring users download software from trustworthy sources, ones where developers have code signed by Apple to prove it is legitimate. ThiefQuest shows the risks of downloading software from unverified sources.

Apple Declines to Comment

Although ThiefQuest is an extensive suite of malware that combines ransomware and spyware capabilities, it is unclear what the end goal is, because the components seem incomplete. The malware shows a ransom note demanding payment, but it lists a static Bitcoin address where victims send their cryptocurrency. Considering the anonymity of Bitcoin, the attackers who want to decrypt a victim's systems upon receiving money have no idea whether that particular victim made payments or not. The note doesn’t list any email the victims may use to correspond with the attackers, so they can receive a decryption key. That may be a sign the malware was never intended as a ransomware, but the functionality remains. Jamf also found the malware has all necessary components to decrypt the files, but they're not set up to make it happen.

The researchers believe that attackers looking to perform recon with the spyware would want to be as stealthy as possible. Adding ransomware capabilities messes up that attempt by making it a high profile threat that makes itself known almost right away. This situation doesn't exactly predispose people to casual shopping or looking to spend money using an infected machine. Ransomware also doesn’t need to achieve persistence through multiple reboots to do its job. The way ThiefQuest makes its presence known leads to users and the security community flagging it and analyzing it in the future, blocking access.

The ThiefQuest Malware Possesses Obfuscation Capabilities

The malware includes some obfuscation capability that allows it to hide. The malware will not run if it detects security tools aimed at detecting such threats. It also keeps quiet if it is executed inside a sandbox environment or virtual machine, meant for testing. When the code is analyzed, researchers found that only some components were obscured to make it hard to understand what they do, while others were completely unencrypted.

It is possible the malware was made to run quietly as spyware to collect data first, launching the noisy ransomware as part of the effort to get some funds from the victim before the attackers move on. During testing, some researchers found it harder than others to push the malware into encrypting files during the ransomware phase, which may be connected to that, but the malware exhibits buggy behavior, making it hard to ascertain the original intent of the developers.

Considering the method of distribution is through torrents, focusing on money theft, researchers say it was likely made by criminal hackers, instead of state actors using it for espionage. In some cases, ransomware is imitated to serve as a distraction when the attackers are aiming for a different outcome. NotPetya was one such example, as it pretended to be ransomware, but acting more like a wiper instead. Considering the overall rarity of Mac-based ransomware, it is surprising to see ThiefQuest making such a move.

Loading...