The malware was initially called “EvilQuest” but later dubbed to “OSX.ThiefQuest” to avoid confusion with a name used by Chaosoft Games Xbox 360 and PC video game since 2012, Thomas Reed, Malwarebytes Director of Mac and mobile, explained.
Malwarebytes has analyzed the ransomware, which was first found hidden in a legitimate-looking software supporting the Little Snitch host-based application firewall for macOS. The malicious installer was found available for download on a Russian forum with torrent links. However, it has also subsequently been found in the Mixed In Key 8 electronic music application installer as well as Ableton Live installer.
According to Reed, the malware “undoubtedly” resides in other illegal copies of software or their installation files.
“The legitimate Little Snitch installer is attractively and professionally packaged, with a well-made custom installer that is properly code signed. However, this installer was a simple Apple installer package with a generic icon. Worse, the installer package was pointlessly distributed inside a disk image file,” Reed said.
On examining the installer, it was found that it would install an executable file named “patch” into the “/Users/Shared/” directory. After the installation is completed, a post-install script is downloaded, which is typically used to clean up the installation after the process is completed. However, in this case, the script was used to load the malware and then launch the legitimate Little Snitch installer.
The script moves the patch file into a location that appears to be related to LittleSnitch and renames it to CrashReporter. As there is a legitimate process that is part of macOS named Crash Reporter, the user won’t notice it running in the Activity Monitor since macOS has an internal app with a related name. It then removes itself from the /Users/Shared/ folder and launches the new copy. Finally, it launches the Little Snitch installer.
Once the malware has been employed, it starts encrypting certain types of files found on the system, including archives, images, audio and video files, documents, spreadsheets, presentations, databases, and web files. After encrypting OSX.ThiefQuest files, it drops a text file demanding $50 ransom from victims for unlocking access to the files, otherwise, everything will be deleted after three days.
To ensure that the victims see the ransom note, the ransomware displays a text-to-speech prompt, which reads the ransom note loudly to the victim via the macOS built-in “voice” capabilities.
In addition to the ransomware capability, ThiefQuest may contain so-called a keylogger, due to the presence of calls to system routing CGEventTapCreate. It can also search for and exfiltrate files about crypto wallets if it finds related files on the victim’s machine. Further, the attacker can remotely instruct the malware to open a reverse shell to communicate with a command and control (C&C) server.
According to Malwarebytes, there is currently no information about the existence of a decryption key. Researchers are still investigating what encryption ThiefQuest uses to encrypt its victims’ files and how it can be cracked.
In the meantime, Reed suggests users to keep an updated backup of everything and effective anti-virus as the main way to lessen the threat.
“The best way of avoiding the consequences of ransomware is to maintain a good set of backups. Keep at least two backup copies of all-important data, and at least one should not be kept attached to your Mac at all times (ransomware may try to encrypt or damage backups on connected drives),” Reed concluded.
“I personally have multiple hard drives for backups. I use Time Machine to maintain a couple, and Carbon Copy Cloner to maintain a couple more. One of the backups is always in the safe deposit box at the bank, and I swap them periodically, so that worst case scenario, I always have reasonably recent data stored in a safe location.”