The ransomware threat may seem ubiquitous, but there haven’t been too many strains specifically designed to infect Apple Mac computers since the first full-fledged Mac ransomware appeared just four years ago. So when Dinesh Devadoss, a malware researcher at K7 Lab, released the findings Tuesday about a new example of Mac ransomware, that fact was only significant. However, it turns out that malware, which researchers now call ThiefQuest, becomes more interesting from there. (The researchers originally called it EvilQuest until they discovered the Steam game series of the same name.)
In addition to ransomware, ThiefQuest has another set of spyware capabilities that allow you to filter files from an infected computer, search for passwords and cryptocurrency wallet data, and run a robust keylogger to get passwords, credit card numbers, or other information. financial as the user enters it. The spyware component also persistently hides as a back door on infected devices, meaning that it remains even after a computer restarts, and could be used as a launch pad for additional or “second-stage” attacks. Since ransomware is so rare on Macs to begin with, this double whammy is especially noticeable.
“Looking at the code, if you divide the ransomware logic from all the other backdoor logics, the two pieces make complete sense as individual malware. But compiling them together is like what?” says Patrick Wardle, principal security researcher at the management firm Mac Jamf. “My current intuition about all of this is that someone was basically designing a piece of Mac malware that would give them the ability to completely remotely control an infected system. And then they also added some ransomware capabilities as a way to earn extra money. ” “
Although ThiefQuest is packed with threatening features, it is unlikely to infect your Mac any time soon unless you download hacked and unprotected software. Thomas Reed, director of Mac and mobile platforms at security firm Malwarebytes, discovered that ThiefQuest is being distributed on torrent sites with branded software, such as Little Snitch security application, DJ Mixed In Key software, and production platform. musical Ableton. K7’s Devadoss notes that the malware itself is designed to resemble a “Google software update program.” So far, however, researchers say it doesn’t appear to have a significant number of downloads, and no one has paid a ransom for the bitcoin address provided by the attackers.
In order for your Mac to get infected, you will need to download a compromised installer and then dismiss a series of Apple warnings to run it. It’s a good reminder to get your software from trusted sources, such as developers whose code is “signed” by Apple to demonstrate its legitimacy, or from Apple’s app store. But if you’re someone who already torrents programs and is used to ignoring Apple flags, ThiefQuest illustrates the risks of that approach.
Apple declined to comment for this story.
What does he want
Although ThiefQuest has a comprehensive set of capabilities to merge ransomware with spyware, it’s not clear what it ends up with, particularly since the ransomware component seems incomplete. The malware displays a ransom note demanding payment, but only lists a static bitcoin address where victims can send money. Given Bitcoin’s anonymity characteristics, attackers who intended to decipher a victim’s systems upon receipt of payment would have no way of knowing who had paid and who had not. Additionally, the note does not list an email address that victims can use to communicate with attackers upon receiving a decryption key, another sign that the malware is not actually intended to be ransomware. Jamf’s Wardle also found in his analysis that while the malware has all the components it would need to decrypt files, they don’t appear to be configured to actually work in nature.
The researchers also emphasize that attackers looking to do clandestine reconnaissance with spyware generally want to be as discreet and discreet as possible. Adding ransomware to the mix simply announces the presence of the malware and would likely change a user’s behavior on the device, because all of their files are encrypted and they are seeing a dramatic ransom note on their screen. It is not a situation where you are likely to make casual purchases online or log into your bank account. Similarly, ransomware generally does not need to set persistence on a device and resist reboots, as it simply needs to start the encryption process. When a program is advertised as malware and then persists, it simply increases the likelihood that the security community will flag and analyze the software to block it in the future.
“I think if your primary goal was exfiltration of data, you would want to stay in the background, do it as quietly as possible, and have the best chance of going unnoticed,” says Reed of Malwarebytes. “So I really don’t get the point of this very loud ransomware. When I installed it for testing, every 30 seconds the computer would yell at me, beeping all the time. It’s really loud both literally and digitally.”
Concealment
The malware includes some obfuscation features to help you hide. The malware will not run if it detects certain security tools like Norton Antivirus. It is also low if opened in a digital environment that is often used for security testing, such as a sandbox or virtual machine. And by analyzing the code itself, the researchers say some components were carefully concealed, making it difficult to understand what they do. Oddly, however, others were left out in the open for anyone to see.
Wardle theorizes that the malware may have intended to silently run its spyware module first, collect valuable data, and only launch the noisy ransomware as a last-ditch effort to raise some funds from a victim before continuing. In testing, some researchers found that it was more difficult than others to induce malware to start encrypting files as part of its ransomware functionality, which may support Wardle’s theory. But the malware is buggy, and at the moment it is unclear what the developers’ true intention is.
Since the malware is distributed through torrents, it appears to focus on money theft and still has some issues, the researchers say it was probably created by criminal hackers rather than spies from nation states seeking to carry out espionage. Putting on a ransomware disguise as a distraction or false flag is not at all uncommon in the realm of Windows malware. The NotPetya malware, which caused the most shocking and expensive cyberattack in history, claimed to be ransomware, after all. Still, given how rare Mac ransomware is, it’s surprising to see ThiefQuest take such a shady approach.
Perhaps malware is using ransomware’s distinctive file encryption as a destructive tool in an attempt to permanently block users from their computers. Or maybe ThiefQuest is just looking to get as much money from victims as possible. The real question with Mac ransomware, as always, is what will come next?
This story first appeared on wired.com.
