A rare new ransomware strain targeting macOS users has been discovered, called EvilQuest. Researchers say the ransomware is being distributed via various versions of pirated software.
EvilQuest, first discovered by security researcher Dinesh Devadoss, goes beyond the normal encryption capabilities for run-of-the-mill ransomware, including the ability to deploy a keylogger (for monitoring what’s typed into devices) and the capability to steal cryptocurrency wallets on the victims’ systems.
EvilQuest samples have been found in various versions of pirated software, which are being shared on BitTorrent file-sharing sites. While this method of infection is relatively unsophisticated, it is common for other macOS malware variants – including OSX.Shlayer – “thus indicating it is (at least at some level) successful,” according to Patrick Wardle, security researcher with Jamf, in a Monday analysis.
While Devadoss found the ransomware purporting to be a Google Software Update package, Wardle inspected a ransomware sample that was being distributed via a pirated version of “Mixed In Key 8,” which is software that helps DJs mix their songs.
Another sample was analyzed Tuesday by Thomas Reed, director of Mac and mobile with Malwarebytes, in a malicious, pirated version of Little Snitch. Little Snitch is a legitimate, host-based application firewall for macOS. The malicious installer was found available for download on a Russian forum, dedicated to sharing torrent links.
“The legitimate Little Snitch installer is attractively and professionally packaged, with a well-made custom installer that is properly code signed,” Reed said. “However, this installer was a simple Apple installer package with a generic icon. Worse, the installer package was pointlessly distributed inside a disk image file.”
Once a victim downloads these various malicious apps, they install an executable file, named “patch”, into the “/Users/Shared/” directory. After the installation process is completed, a post-install script is then downloaded, and used to load and trigger the executable. The ransomware then begins encrypting victims’ files by invoking the “eip_encrypt” function. Once file encryption is complete, it creates a text file (READ_ME_NOW) with the ransom instructions (the ransom for the samples found was $50).
Interestingly, to ensure the victims see the ransom note, the ransomware displays a text-to-speech prompt, which reads the ransom note aloud to the victim via the macOS built-in “voice” capabilities.
Reed found that “the malware… appeared to encrypt a number of settings files and other data files, such as the keychain files. This resulted in an error message when logging in, post-encryption.”
The ransomware also has capabilities for in-memory code execution, anti-analysis and persistence, researchers found. As part of its anti-analysis measures, EvilQuest includes the functions “is_debugging” and “is_virtual_mchn.” These features attempt to thwart debugging efforts, as well as sniff out if its being run inside a virtual machine (both indications that a malware researcher may be attempting to analyze it).
The malware was meanwhile spotted making calls for CGEventTapCreate, which is a system routine that allows for monitoring of events like keystrokes, and is commonly used by malware for keylogging. Researchers found tasks from the ransomware’s command and control (C2) server prompting it to start a keylogger.
The ransomware also has the capabilities to detect several cryptocurrency wallet files, with commands to hunt out the following specific ones: “wallet.pdf”, “wallet.png”, “key.png” and “*.p12.”
Wardle said that the malware can meanwhile open a reverse shell to the C2 server. “Armed with these capabilities, the attacker can main full control over an infected host,” he warned.
EvilQuest joins a small list of ransomware families in the wild specifically targeting Mac users, including KeRanger and MacRansom. However, “there are still a number of open questions that will be answered through further analysis,” Reed said. “For example, what kind of encryption does this malware use? Is it secure, or will it be easy to crack (as in the case of decrypting files encrypted by the FindZip ransomware)? Will it be reversible, or is the encryption key never communicated back to the criminals behind it (also like FindZip)?”