EvilQuest Mac Malware
A new ransomware called EvilQuest has been found targeting macOS users. Researchers say the ransomware is being distributed by pirated software. EvilQuest goes beyond the normal encryption capabilities for run-of-the-mill ransomware, including the ability to deploy a key logger, for monitoring what's typed into devices and the capability to steal cryptocurrency wallets on the victims' systems.
EvilQuest samples have been found in pirated software, which are being shared on BitTorrent file-sharing sites. While this method is unsophisticated, it is successful. Researchers found ransomware pretending to be a Google Software Update package. They also inspected a ransomware sample that was being distributed through a pirated version of Mixed In Key 8, which helps DJs mix their songs. Researchers also found it in pirated version of Little Snitch, whichis a legitimate, host-based application firewall for macOS. The malicious installer was found available for download on a Russian forum, dedicated to sharing torrent links.
Once a victim downloads these malicious apps, they install an executable file, named patch, into the /Users/Shared/ directory. After the installation process is completed, an install script is downloaded, and used to load and trigger the executable. The ransomware then begins encrypting victims' files by invoking the eip_encrypt function. Once file encryption is complete, it creates a text file with the ransom instructions. To ensure the victims see the ransom note, the ransomware displays a text-to-speech prompt, which reads the ransom note.
The ransomware also has capabilities for in-memory code execution, anti-analysis and persistence. In order to evade detection, EvilQuest includes the functions is_debugging and is_virtual_mchn. These features hinder debugging efforts and make it hard to detect if it is being run inside a virtual machine.
The ransomware also has the capabilities to detect several cryptocurrency wallet files, with commands to find the following ones: wallet.pdf, wallet.png, key.png and *.p12. The malware can open a reverse shell to the C2 server, which means that the hacker can get full control over an infected host. EvilQuest joins a small list of ransomware families that target Mac users, including KeRanger and MacRansom. Researchers don't know if it will be easy to crack, or if it is reversable.