Mac Ransomware OSX.ThiefQuest Using Pirated Software

In recent years, crooks have been deliberately and regularly using pirated software to spread malware. They rip-off popular open-source software distributions, add their own malicious code and post these pirated versions on forums or imposter sites to lure and infect victims.

ThiefQuest leverages pirated software

In late June, Malwarebytes researchers identified pirated software installers (including Little Snitch, Ableton, and Mixed In Key) that were available for download on Russian forums dedicated to sharing torrent portals.
  • The pirated software was distributing a new MAC ransomware dubbed OSX.ThiefQuest in the wild targeting macOS users. The ransomware has a whole additional set of spyware capabilities that allows it to exfiltrate files from an infected computer.
  • ThiefQuest installs a keylogger, and a reverse shell to communicate with a command and control (C&C) server. It also steals cryptocurrency wallet-related files from infected hosts. It lurks persistently as a backdoor on infected devices so that the infected devices could be used as a launchpad for other attacks.
  • The ransomware demands $50 from the victims to recover their encrypted files.

Recent threats to macOS

In August 2018, the infamous Lazarus group had launched Operation AppleJeus and its sequel in 2020 to attack macOS users. Several other hackers also have been targeting macOS users in recent attacks.
  • In May 2020, the Lazarus Group distributed a new variant of the Lazarus Dacls RAT designed specifically for the Mac operating system.
  • In January 2020, the Lazarus group developed and distributed several more macOS malware (including UnionCryptoTrader, MarkMakingBot, WbBot, MacInstaller, etc.) in order to compromise cryptocurrency businesses.

Stay safe

To prevent a ransomware threat, users should take regular backups and use an effective AV solution on all devices, including smartphones. Always avoid using pirated software and download applications only from official app stores.