A new type of ransomware targeting macOS users that spreads through pirated apps have been discovered by security researchers.
The ransomware which has been dubbed EvilQuest, is packaged together with legitimate apps, which after installation, disguises itself as Apple’s CrashReporter or Google Software Update.
EvilQuest can encrypt the victim’s files and also has the capability to ensure persistence, log keystrokes, create a reverse shell, and steal cryptocurrency wallet-related files.
The source of the malware seems to be trojanized versions of popular macOS software like Little Snitch, a DJ software called Mixed In Key 8, and Ableton Live — that are distributed on popular torrent sites.
According to Thomas Reed, director of Mac and mobile at Malwarebytes, the legitimate Little Snitch installer is attractively and professionally packaged, with a well-made custom installer that is properly code signed. But this installer was a simple Apple installer package with a generic icon and it was distributed inside a disk image file.
After installation on the infected host, EvilQuest performs a sandbox check to detect sleep-patching and comes equipped with anti-debugging logic to ensure the malware program is not running under a debugger.
Usually, malware include delays, as in the case of the first-ever Mac ransomware, KeRanger, included a three-day delay between when it infected the system and when it began encrypting files. This is done to disguise the source of the malware, as the malicious behavior may not be immediately associated with a program installed three days before.
It also destroys any security software such as Kaspersky, Norton, Avast, DrWeb, McAfee, Bitdefender, and Bullguard that may detect or block such malicious behavior on the system, and sets up persistence using launch agent and daemon property list files (“com.apple.questd.plist”) to automatically restart the malware each time the user logs in.
And in the final stage, EvilQuest launches a copy of itself and starts encrypting files — counting cryptocurrency wallet (“wallet.pdf”) and keychain related files — before eventually displaying ransom instructions to pay $50 within 72 hours or risk leaving the files locked.
EvilQuest has features other than what a normal ransomware has which includes the ability to communicate with a command-and-control server (“andrewka6.pythonanywhere.com”) to remotely execute commands, initiate keylogger, create a reverse shell, and even execute a malicious payload directly out of memory.
With all the features it is easy for an attacker to attain complete control over an infected host.
A decryptor is yet to be created and as of now, the macOS users are highly recommended to create backups to avoid data loss and use a utility like RansomWhere? to prevent such attacks.
The best method to avoid the effect of ransomware is to maintain a regular backup. It is advised to keep at least a minimum of two backup copies of all the important data and make sure to not keep one attached to your Mac at all times.