The Mac Security Blog
Intego’s research team received a tip from BitTorrent that new Mac malware was spreading via BitTorrent on Monday, June 29. It looks like ransomware, a malware designed to encrypt files and then demand ransom money to retrieve them. But it’s much more dangerous.
This malware is also known as OSX/ThiefQuest and was detected by Intego VirusBarrier (previously OSX/Ransomware). It has some interesting characteristics. This is what you need to know about the latest threat.
Is there any evidence of this malware being spread in the wild? Is it spreading?
EvilQuest malware disguises itself as an installer for various Mac applications such as Google Software Update, Ableton, and Little Snitch.
BitTorrent magnet links for downloading these Trojanized installers were observed on RUTracker (a Russian forum site). This forum post appears to have been posted on June 9, meaning that this malware could have gone undiscovered for around three weeks.
RUTracker forum posting with BitTorrent link for Trojanized Little Snitch. Image: Reed
What is the purpose of this new malware? What makes it so unique?
The Trojanized installer can install the intended software but it also installs malware on the victim’s computer.
The malware encrypts user’s files and displays a dialog box telling the user that they have three days to pay USD 50 to a specific Bitcoin address. As of the time this article was written, no one has paid the ransom.
No one had ever paid the ransom at the time this article was published. Image by Intego
The ransomware angle has a little twist. This sounds like normal ransomware behavior so far. However, the malware makers don’t give an e-mail address nor any other contact information. It is therefore unclear how the extortioners would find out who paid them and how they can help them decrypt their files.
This “ransomware”, in other words, may be described more like a “wiper”–malicious malware that encrypts files but doesn’t provide any way to decrypt them. Even if you comply with the demands of the extortioners. It is yet to be determined if the anti-malware community can find a way to decrypt encrypted documents by this malware.
Additional capabilities are available beyond the encryption of user documents. EvilQuest also phones home to command and control (C2) servers, can log a victim’s keystrokes, and it has data exfiltration capabilities–meaning it can steal potentially interesting files from a victim’s computer and send them to the malware maker.
EvilQuest may also try to avoid detection by acting differently in virtual machines or when a Debugger is running – these are common tactics to make it harder for malware analysts to detect and assess malicious behavior.
Update It was discovered that EvilQuest maliciously modified Google Software Update background applications, making EvilQuest a Mac virus.
EvilQuest malware does not just “just” ransomware. It can also be described as a data stealer, wiper, hacker, spyware, and keylogger.
How can Mac users prevent this malware from getting into their computers?
This malware is not new. It has been used to distribute malware via BitTorrent or disguise itself as legitimately obtained full or “cracked” Mac software. In 2017, we wrote about “Patcher”, OSX/Filecoder ransomware which spread in the same manner.
A blogger at Intego did an investigation on Mac software distributed via BitTorrent later in the year and discovered that each app he downloaded had been flagged by Intego VirusBarrier for being containing malware.
It is simply not a good idea for Mac apps to be downloaded via BitTorrent. You can obtain an app through the Mac App Store, or directly from the developer’s website.
How can malware be removed?
Intego VirusBarrier X9 can detect and remove this malware. It is included in Intego’s Mac Premium Bundle X9.
Customers who have VirusBarrier X8, X7, or X6 installed on older Mac OS X versions are also protected. To ensure that your Mac receives the most recent security updates from Apple, it is best to upgrade as soon as possible to macOS.
What can I do to recover files that were encrypted?
The ransom payment is a one-way transaction. You would give the bad guys your money but not be able to retrieve your encrypted files. It’s better to avoid ransom payments whenever possible. Criminals will continue to victimize others by giving them money.
The community came together to reverse-engineer the encryption. A free utility can be used to decrypt or restore files encrypted by EvilQuest malware.