NEWS: 07.17.20 – A new malware attack on the Mac disguised as a Google software update may be (without one’s knowledge) aiding and abetting a virtual thief in a quest for sensitive data which allows it to steal personal information off of an Apple desktop or notebook computer and the only way to acquire a decryption key to prevent further attacks is to pay a hefty price.
Wired magazine reported earlier this month that this new ransomware on the Mac is even more sinister than it appears. According to senior writer, Lily Hay Newman, the malware — known as “ThiefQuest” (or “EvilQuest”) — also has spyware capabilities that allow it to grab passwords and credit card numbers from a person’s computer.
The Wired senior writer reported that given that ransomware is so rare on Macs to begin with, this one two punch is especially noteworthy.
A malware researcher at K7 Lab, Dinesh Devadoss, published findings last month about this new ransomware on the Mac. “ThiefQuest” has a whole other set of spyware capabilities: it can exfiltrate files from an infected computer, search the system for sensitive data, and run a keystroke logger to grab passwords, credit card numbers, or financial information (e.g., bank accounts and routing numbers) as the user types it in. In addition, it also acts as a backdoor on computers affected by the sinister software and remains behind even after a reboot which could be used as a gateway for additional attacks.
Speaking to Wired, Patrick Wardle, a principal security researcher at Jamf, said that his gut feeling about “ThiefQuest” is that, basically, someone was designing a piece of malware for the Mac that would give them the ability to completely control — remotely — an infected computer and then added ransomware capabilities to make extra money.
“ThiefQuest” shows a ransom note that demands payment in Bitcoin and indicates where to send in the digital currency. Due to the anonymity on both ends, however, attackers who intend to decrypt a victim’s infected computer upon being paid would have no way to tell who already had sent in funds and who hadn’t. By the same token, there is no email address listed which victims can use to correspond with the hackers to inquire about receiving a decryption key and indicate that their Mac is affected by the malware in question.
According to Newman, although “ThiefQuest” is packed with menacing features, it’s unlikely to infect your Mac anytime soon: unless you download unvetted software (e.g., pirated copies procured from the web).
The director of Mac and mobile platforms at Malwarebytes, Thomas Reed, told Wired that he found “ThiefQuest” being distributed on torrent sites bundled with name brand software such as the security application Little Snitch, a title for disc jockeys called Mixed In Key, and the music production platform Ableton.
The Wire senior writer reported that for a computer to become infected, a user would need to torrent a compromised installer and then dismiss a series of warnings from the MacOS operating system in order to run it. Getting software from trustworthy sources like developers whose code is digitally signed by Apple to prove its legitimacy — such as ones directly downloaded from the Mac App Store itself — is a way she suggested to prevent being attacked by the malware.
Devadoss noted that the malware itself is designed to look like a Google software Update.
Newman reported that although “ThiefQuest” has an extensive suite of capabilities in fusing ransomware with spyware, it is unclear for what ends. The researchers emphasized that hackers looking to conduct reconnaissance with spyware usually want to be as discrete and inconspicuous as possible. Adding ransomware into the mix announces the presence of malware and likely would change a user’s behavior on the infected computer (e.g., refraining from activities such as online shopping where one would enter their credit card information) which would defeat the entire purpose of the attack.
Reed said that if the hackers’ main goal was the extraction of data, they would want to stay in the background and do that as silently as possible to give them the best chance of going undetected.
According to Newman, “ThiefQuest” does include some features to help it stay hidden and remain obscure and the malware won’t run on a Mac if certain security tools like Norton Antivirus are detected.
Wardle theorized that the malware may have been intended to run its spyware module quietly prior to collecting valuable data, only launching the noisy ransomware component as a last ditch effort to gather some funds from a victim before finally moving on.
The researchers said that “ThiefQuest” likely was created by criminal hackers — versus nation state spies looking to conduct espionage — since it is being distributed through torrents and seems to focus on stealing money.
Newman reported that “ThiefQuest” doesn’t seem to have a significant number of downloads, and, so far, no one has paid a ransom to the Bitcoin address provided by the hackers. The Wired senior writer also indicated that the malware is buggy and still has some kinks, and, for now, it’s unclear what the developer’s true intent is.
It is unclear from the Wire magazine article as to which versions of the MacOS operating system are affected by the “ThiefQuest” malware and whether or not the security risk has been addressed with a software update. Apple, per Newman, declined to provide a comment for her story.