New EvilQuest ransomware targets macOS users

Experts discovered a new ransomware dubbed EvilQuest designed to target macOS systems, it also installs a keylogger and a reverse shell to take over them.

Security experts have uncovered a new piece of ransomware dubbed EvilQuest designed to encrypt macOS systems, it is also able to install additional payloads and potentially take over the infected machine.

Unlike other MacOSx threats, EvilQuest also installs a keylogger, a reverse shell, and steals cryptocurrency wallets from infected hosts.

EvilQuest was first spotted by K7 Lab malware researcher Dinesh Devadoss while it was impersonating as Google software update program.

The malware was also analyzed by Malwarebytes Director of Mac & Mobile Thomas Reed, Principal Security Researcher at Jamf Patrick Wardle, and Phil Stokes, macOS security researcher at SentinelOne.

EvilQuest includes anti-analysis capabilities, it is able to check if it’s running in a virtual machine or a sandboxed environment and implements anti-debug capabilities.

The ransomware also checks for some common anti-virus solutions (e.g. Kaspersky, Norton, Avast, DrWeb, Mcaffee, Bitdefender, and Bullguard). According to Felix Seele, it establishes a reverse shell to communicate with the C2 server.

Using these capabilities the ransomware can gain full control over the infected system.

“Armed with these capabilities the attacker can main full control over an infected host!” reads the analysis wrote by Wardle.

According to the experts, the EvilQuest ransomware has been distributed in the wild since the beginning of June.

Threat actors have started distributing the ransomware in tainted pirated macOS software uploaded on torrent portals and online forums.

Patrick Wardle has found some samples of malware that have been hidden inside a pirated version of popular DJ software Mixed In Key, while Reed found it inside the macOS security tool Little Snitch.

Once encrypted the file on the infected host, a popup is displayed to the victim, informing it that its files have been encrypted.

The victims is directed to open a ransom note dropped on their desktop that includes instructions for the payment of the ransomware.

The ransomware currently targets the following file extensions, as reported by ZDNet:

.pdf, .doc, .jpg, .txt, .pages, .pem, .cer, .crt, .php, .py, .h, .m, .hpp, .cpp, .cs, .pl, .p, .p3, .html, .webarchive, .zip, .xsl, .xslx, .docx, .ppt, .pptx, .keynote, .js, .sqlite3, .wallet, .dat

MalwareBytes researchers noticed that the malware also attempts to modify some files specific that are part of GoogleSoftwareUpdate and attempt to use them to achieve persistence on infected hosts.

“Even more bizarre—and still inexplicable—was the fact that the malware also modified the following files:

/Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/crashpad_handler
/Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateDaemon
/Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/ksadmin
/Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/ksdiagnostics
/Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/ksfetch
/Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/ksinstall

These files are all executable files that are part of GoogleSoftwareUpdate, which are most commonly found installed due to having Google Chrome installed on the machine.” states MalwareBytes. “These files had the content of the patch file prepended to them, which of course would mean that the malicious code would run when any of these files is executed. However, Chrome will see that the files have been modified, and will replace the modified files with clean copies as soon as it runs, so it’s unclear what the purpose here is.”

One of the tools developed by Patrick Wardle, named RansomWhere, is currently able to detect and stop the EvilQuest ransomware.

In the past, other ransomware already targeted macOS users, including KeRanger, Patcher, FileCoder and Mabouia.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.