ThiefQuest.F emerged in July this year, and it is a malware threat that targets macOS computers. Also known as EvilQuest, its main features are to encrypt files and install keyloggers on target systems. ThiefQuest.F’s most common proliferation method seems to be popular torrent websites as malware researchers have detected the malicious executable within pirated versions of macOS shared on such sites. According to some published reports, profound analysis indicates that the ransomware activity is currently not the main purpose of ThiefQuest.F attacks. Rather, researchers believe that the file encryption mechanism is a precursory move used to disguise this threat's other capabilities, namely the keylogging, the file exfiltration, and the Command and Control (C&C) communication.
Malware experts have already analyzed several versions of ThiefQuest.F, whereby the latest ones are equipped with stronger capabilities, and they seem to have occurred only a few days after the older variants. Interestingly, the hackers behind ThiefQuest.F have removed the ransomware behavior in the latest versions, while several new features have been added that implement a new routine for computing and calling the addresses of the new functions. The new parts concern the malware’s ability to read and attach the payload, the bundle compression and decompression method, and the procedure of generating IP addresses from random numbers, which, if successful, are then used as C&C server addresses. ThiefQuest.F newly analyzed samples also include improved anti-detection techniques.
Having observed these new variants and their improved features, malware researchers assume the threat actors behind ThiefQuest.F have future plans, and we will hear from them again very soon.