Mac Malware Primarily Infostealer, Not RansomwareMalwarebytes: New Research Discloses Data Exfiltration Capability
The Mac malware originally labeled as “EvilQuest,” which researchers initially identified as a poorly designed ransomware variant, apparently is primarily an information stealer with ransomware-like elements designed to confuse security tools, according to the security firm Malwarebytes.
During the initial investigation into the malware, now renamed “ThiefQuest,” researchers missed a small piece of code written in Python that can exfiltrate data from an infected system, says Thomas Reed, director of Mac and mobile at Malwarebytes (see: Ransomware Targets Mac Users).
The Python script was uncovered after Malwarebytes researchers noticed the malware making hundreds of connections to a command-and-control server and removing data that apparently had nothing to do with typical ransomware activity.
Even though ThiefQuest's main task may not be encrypting a victim's data, SentinelOne has released a free decryptor on Github to help any potential victims who had data encrypted by attackers.
"SentinelLabs research suggests that EvilQuest is not related to public key encryption and in fact often uses a table normally associated with block cipher RC2. Knowing this, the SentinelLabs team was able to break the EvilQuest encryption routine, unlocking files and disrupting the attack chain," the company said in a statement.
Malwarebytes has not yet determined how many victims have been hit with ThiefQuest, Reed says.
A closer examination of ThiefQuest reveals how the information stealer works, Malwarebytes says.
"This script scans through all the files in the /Users/ folder - the folder that contains all user data for all users on the computer - for any files having certain extensions, such as .pdf, .doc, .jpg, etc. Some extensions in particular indicate points of interest for the malware, such as .pem, used for encryption keys, and .wallet, used for cryptocurrency wallets," Reed notes in an updated report published Tuesday.
The stolen files, which include cryptocurrency wallets and various types of keys, are collected and then uploaded to the command-and-control server through an unencrypted HTTP, according to the report.
The fact that ThiefQuest has a data exfiltration feature is not proof it is a combination ransomware/info stealer like Maze, which is used to exfiltrate data and then extort ransoms for withholding release, Reed says (see: Ransomware + Exfiltration + Leaks = Data Breach ).
"We're not sure at this point. That's entirely possible, but some of the information being targeted suggests the malware is interested in things like cryptocurrency wallets (direct access to funds) and a variety of keys that could be used to gain access to systems (ssh keys, for example)," he says. "Although that doesn't rule out the possibility of extortion, it doesn't really point the finger in that direction either."
As noted in the original Malwarebytes report, distribution of this malware was handled through fake installers, such as for Little Snitch - a host-based application firewall for Apple macOS.