Security experts have uncovered a new piece of ransomware dubbed EvilQuest designed to encrypt macOS systems, it is also able to install additional payloads and potentially take over the infected machine.
Unlike other MacOSx threats, EvilQuest also installs a keylogger, a reverse shell, and steals cryptocurrency wallets from infected hosts.
EvilQuest was first spotted by K7 Lab malware researcher Dinesh Devadoss while it was impersonating as Google software update program.
The malware was also analyzed by Malwarebytes Director of Mac & Mobile Thomas Reed, Principal Security Researcher at Jamf Patrick Wardle, and Phil Stokes, macOS security researcher at SentinelOne.
EvilQuest includes anti-analysis capabilities, it is able to check if it’s running in a virtual machine or a sandboxed environment and implements anti-debug capabilities.
The ransomware also checks for some common anti-virus solutions (e.g. Kaspersky, Norton, Avast, DrWeb, Mcaffee, Bitdefender, and Bullguard). According to Felix Seele, it establishes a reverse shell to communicate with the C2 server.
Using these capabilities the ransomware can gain full control over the infected system.
“Armed with these capabilities the attacker can main full control over an infected host!” reads the analysis wrote by Wardle.
According to the experts, the EvilQuest ransomware has been distributed in the wild since the beginning of June.
Threat actors have started distributing the ransomware in tainted pirated macOS software uploaded on torrent portals and online forums.
Patrick Wardle has found some samples of malware that have been hidden inside a pirated version of popular DJ software Mixed In Key, while Reed found it inside the macOS security tool Little Snitch.
Once encrypted the file on the infected host, a popup is displayed to the victim, informing it that its files have been encrypted.
The victims is directed to open a ransom note dropped on their desktop that includes instructions for the payment of the ransomware.
The ransomware currently targets the following file extensions, as reported by ZDNet:
.pdf, .doc, .jpg, .txt, .pages, .pem, .cer, .crt, .php, .py, .h, .m, .hpp, .cpp, .cs, .pl, .p, .p3, .html, .webarchive, .zip, .xsl, .xslx, .docx, .ppt, .pptx, .keynote, .js, .sqlite3, .wallet, .dat
MalwareBytes researchers noticed that the malware also attempts to modify some files specific that are part of GoogleSoftwareUpdate and attempt to use them to achieve persistence on infected hosts.
“Even more bizarre—and still inexplicable—was the fact that the malware also modified the following files:
/Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/crashpad_handler /Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateDaemon /Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/ksadmin /Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/ksdiagnostics /Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/ksfetch /Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/ksinstall
These files are all executable files that are part of GoogleSoftwareUpdate, which are most commonly found installed due to having Google Chrome installed on the machine.” states MalwareBytes. “These files had the content of the
patch file prepended to them, which of course would mean that the malicious code would run when any of these files is executed. However, Chrome will see that the files have been modified, and will replace the modified files with clean copies as soon as it runs, so it’s unclear what the purpose here is.”
One of the tools developed by Patrick Wardle, named RansomWhere, is currently able to detect and stop the EvilQuest ransomware.
(SecurityAffairs – hacking, ransomware)