New EvilQuest Ransomware Discovered Targeting MacOS Users
Mac users are now exposed to a new “EvilQuest” ransomware that encrypts files and causes multiple issues to the operating system. Malwarebytes has analyzed the ransomware today, which is being distributed through macOS pirate apps. Besides encrypting the victim’s files, EvilQuest also comes with capabilities to ensure persistence, log keystrokes, create a reverse shell, and steal cryptocurrency wallet-related files. With this development, EvilQuest joins a handful of ransomware strains that have exclusively singled out macOS, including KeRanger and Patcher.
The malicious code was first found in a pirate copy of the Little Snitch app available on a Russian forum with torrent links. The downloaded app comes with a PKG installer file, unlike its original version. By examining this PKG file, Malwarebytes discovered that the app comes with a “postinstall script,” which is typically used to clean up the installation after the process is completed. In this case, however, the script implements a malware to the macOS. The script file is copied to a folder related to the Little Snitch app under the name CrashReporter, so the user won’t notice it running in the Activity Monitor since macOS has an internal app with a similar name. The set location is: /Library/LittleSnitchd/CrashReporter.
Malwarebytes notes that it takes some time before the ransomware starts working after it’s installed, so the user won’t associate it with the latest app installed. Once the malicious code is activated, it modifies system and user files with unknown encryption. Part of the encryption causes the Finder not to work properly and the system crashes constantly. Even the system’s Keychain gets corrupted, so it’s impossible to access passwords and certificates saved on the Mac. A message on the screen says the user must pay $50 to recover its files, otherwise everything will be deleted after three days.
The ransomware also has capabilities for in-memory code execution, anti-analysis and persistence, researchers found. As part of its anti-analysis measures, EvilQuest includes the functions “is_debugging” and “is_virtual_mchn.” These features attempt to thwart debugging efforts, as well as sniff out if its being run inside a virtual machine (both indications that a malware researcher may be attempting to analyze it).
The malware was meanwhile spotted making calls for CGEventTapCreate, which is a system routine that allows for monitoring of events like keystrokes, and is commonly used by malware for keylogging. Researchers found tasks from the ransomware’s command and control (C2) server prompting it to start a keylogger.
The ransomware also has the capabilities to detect several cryptocurrency wallet files, with commands to hunt out the following specific ones: “wallet.pdf”, “wallet.png”, “key.png” and “*.p12.”
Wardle said that the malware can meanwhile open a reverse shell to the C2 server. “Armed with these capabilities, the attacker can main full control over an infected host,” he warned.
EvilQuest joins a small list of ransomware families in the wild specifically targeting Mac users, including KeRanger and MacRansom. However, “there are still a number of open questions that will be answered through further analysis,” Reed said. “For example, what kind of encryption does this malware use? Is it secure, or will it be easy to crack (as in the case of decrypting files encrypted by the FindZip ransomware)? Will it be reversible, or is the encryption key never communicated back to the criminals behind it (also like FindZip)?”
“The best way of avoiding the consequences of ransomware is to maintain a good set of backups,” Reed concluded. “Keep at least two backup copies of all important data, and at least one should not be kept attached to your Mac at all times.”