Malware

New Mac ransomware-spyware EvilQuest in the wild

Posted on July 1st, 2020 by

ThiefQuest Mac ransomware spreads via Trojanized installers downloaded from BitTorrent

On Monday, June 29, Intego’s research team was alerted to new Mac malware spreading in the wild via BitTorrent. At first glance, it has telltale signs of ransomware—malware designed to encrypt a user’s files and demand a ransom to recover them—but it turns out to be much more nefarious.

The malware, dubbed OSX/EvilQuest (also known as OSX/ThiefQuest) and detected by Intego VirusBarrier as OSX/EvilQuest (previously OSX/Ransomware), has some pretty interesting characteristics. Here’s what you need to know about this latest threat.

In this article:

Is this malware in the wild? How does it spread?

The EvilQuest malware comes disguised as an installer for any of various Mac applications, including Google Software Update, Ableton, Little Snitch, and Mixed In Key 8.

BitTorrent magnet links to download these Trojanized installers have been observed on RUTracker, a Russian forum site. The forum post seems to be dated June 9, so this malware may have gone undiscovered for approximately three weeks.

RUTracker forum post with BitTorrent link to Trojanized Little Snitch. Image: Reed

What does the new malware do? How is it unique?

Although the Trojanized installer may install the intended software, it also installs malware onto the victim’s system.

Among other things, the malware encrypts the user’s files, after which it displays a dialog box claiming that the user has three days to pay a U.S. $50 ransom to a particular Bitcoin address. Thankfully, nobody has yet paid the ransom—at least not to one Bitcoin address that has been found associated with this malware campaign—as of when this article was published.

ThiefQuest - no ransoms paid yet

Evidently, nobody had paid the ransom as of when this article was published. Image: Intego

There’s actually a bit of a twist to the ransomware angle, though. Although so far this has sounded like standard ransomware behavior, the malware makers actually don’t provide an e-mail address or any other way to contact them, so it is unclear how the extortioners would know who paid them and therefore how to help that person decrypt their files.

In other words, this “ransomware” may be better described as a “wiper”—malicious software that encrypts files without providing any way to decrypt them, even if you give in to the extortioner’s demands. It remains to be seen whether the anti-malware community will be able to discover a way to decrypt documents encrypted by this malware.

There are also additional capabilities beyond encrypting the user’s documents. EvilQuest also phones home to command and control (C2) servers, can log a victim’s keystrokes, and it has data exfiltration capabilities—meaning it can steal potentially interesting files from a victim’s computer and send them to the malware maker.

EvilQuest also tries to avoid detection by behaving differently when running within a virtual machine or when a debugger is running—common tactics to make it more difficult for malware analysts and automated analysis tools to identify and assess malicious behaviors.

Update: After this article was first published, it came to light that EvilQuest also maliciously modifies Google Software Update background apps, which interestingly makes EvilQuest a true Mac virus.

Given all this functionality, the EvilQuest malware is not “merely” ransomware. It could also be described as a wiper, data stealer, spyware, keylogger, evader, virus, and a RAT.

How should Mac users avoid getting this malware?

This is not the first time that malware has been distributed via BitTorrent, or by disguising itself as illegitimately obtained full or “cracked” versions of Mac software. We wrote in 2017 about “Patcher” (OSX/Filecoder) ransomware that spread the same way.

In fact, later that year an Intego blogger did his own investigation of Mac software distributed through BitTorrent, and found that every app he downloaded was flagged by Intego VirusBarrier as containing malware:

Why BitTorrent Sites Are a Malware Cesspool

In short, it simply is not a good idea to download Mac apps through BitTorrent. The safest way to obtain an app is through the Mac App Store where possible, or directly from the developer’s site.

How can the malware be removed?

Intego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, can detect and eliminate this malware.

Customers running VirusBarrier X8, X7, or X6 on older versions of Mac OS X are also protected. It is best to upgrade to the latest version of macOS if possible to ensure your Mac gets all the latest security updates from Apple.

How can I recover my files that got encrypted?

The malware maker doesn’t provide any contact information, so paying the ransom would be a one-way transaction; you’d be giving the bad guys your money, but you still wouldn’t be able to recover your encrypted files. (Whenever possible, it’s best to avoid paying ransoms anyway, of course, since giving money to criminals ultimately gives them motivation to keep victimizing others.)

Thankfully, the community has come together and reverse-engineered the encryption. There’s even a free utility that can be used to decrypt and restore files that have been encrypted by the EvilQuest malware.

Indicators of compromise

Some paths that have been observed so far from this malware campaign include the following:

/Library/LaunchDaemons/com.apple.questd.plist
/Library/mixednkey/toolroomd
/private/var/root/Library/.5tAxR3H3Y
/private/var/root/Library/AppQuest/com.apple.questd
/private/var/root/Library/LaunchAgents/com.apple.questd.plist
~/Library/.ak5t3o0X2
~/Library/AppQuest/com.apple.questd
~/Library/LaunchAgents/com.apple.questd.plist
Mixed In Key 8.dmg [if downloaded via BitTorrent]

The following domain and IP address have been observed as directly affiliated with this malware campaign:

andrewka6.pythonanywhere[.]com
167.71.237[.]219

Any recent network traffic to or from these addresses should be considered a possible sign of an infection.

How can I learn more?

For more technical analyses of this malware, you can refer to Patrick Wardle (part 1 and part 2), Thomas Reed (part 1 and part 2), Lawrence Abrams, and Phil Stokes‘ published research. WIRED writer Lily Hay Newman also has additional coverage of this story.

We talked about this new malware on episode 142 and will follow up on episode 143 of the Intego Mac Podcast—be sure to subscribe to make sure you don’t miss any episodes. You’ll also want to subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news.

You can also follow Intego on your favorite social and media channels: Facebook, Instagram, Twitter, and YouTube (click the 🔔 to get notified about new videos).

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh's security research has been featured by many fine publications such as CNET, CBS News, ZDNet UK, Lifehacker, CIO, Macworld, The Register, and MacTech Magazine. Look for more of Josh's articles at security.thejoshmeister.com and follow him on Twitter. View all posts by Joshua Long →