The new Mac Ransomware is even more sinister than it sounds


The threat of Ransomware may seem ubiquitous, but there haven’t been too many strains specifically designed to infect Apple Mac computers since the first complete Mac ransomware appeared just four years ago. So when Dinesh Devadoss, a malware researcher at K7 Lab, released the findings Tuesday about a new example of Mac ransomware, that fact was only significant. However, it turns out that malware, which researchers now call ThiefQuest, becomes more interesting from there. (The researchers originally called it EvilQuest, until they discovered the Steam game series of the same name.)

In addition to ransomware, ThiefQuest has another set of spyware capabilities that allow you to filter files from an infected computer, search for passwords and cryptocurrency wallet data, and run a robust keylogger to get passwords, credit card numbers, or other information. financial as the user enters it. The spyware component also persistently hides as a back door on infected devices, meaning that it remains even after a computer restarts, and could be used as a launch pad for additional or “second-stage” attacks. Since ransomware is so rare on Macs to begin with, this double whammy is especially noticeable.

Looking at the code, if you divide the ransomware logic from all the other backdoor logics, the two pieces make sense as individual malware. But compiling them together is kind of like what? ” says Patrick Wardle, principal security researcher at the management firm Mac Jamf. “My current intuition about all of this is that someone was basically designing a piece of Mac malware that would give them the ability to completely remotely control an infected system. And then they also added some ransomware capabilities as a way to earn extra money. ” “

Although ThiefQuest is packed with threatening features, it is unlikely to infect your Mac any time soon unless you download pirated and non-hidden software. Thomas Reed, director of Mac and mobile platforms at security firm Malwarebytes, found that ThiefQuest is being distributed on torrent sites bundled with branded software, such as the Little Snitch security app, DJ Mixed In Key software, and the platform. music production Ableton. K7’s Devadoss notes that the malware itself is designed to resemble a “Google software update program.” So far, however, researchers say it doesn’t appear to have a significant number of downloads, and no one has paid a ransom for the Bitcoin address provided by the attackers.

In order for your Mac to get infected, you will need to download a compromised installer and then dismiss a series of Apple warnings to run it. It’s a good reminder to get your software from trusted sources, such as developers whose code is “signed” by Apple to demonstrate its legitimacy, or from Apple’s own App Store. But if you’re someone who already torrents programs and is used to ignoring Apple flags, ThiefQuest illustrates the risks of that approach.

Apple declined to comment for this story.

Although ThiefQuest has a comprehensive set of capabilities to merge ransomware with spyware, it is unclear what it ends up with, particularly since the ransomware component appears incomplete. The malware displays a ransom note demanding payment, but only lists a static Bitcoin address where victims can send money. Given Bitcoin’s characteristics of anonymity, attackers who intended to decipher a victim’s systems upon receipt of payment would have no way of knowing who had paid and who had not. Additionally, the note does not list an email address that victims can use to communicate with attackers upon receiving a decryption key, another sign that the malware is not actually intended to be ransomware. Jamf’s Wardle also found in his analysis that while the malware has all the components it would need to decrypt the files, they don’t appear to be configured to actually work in nature.

.