In late June, Malwarebytes researchers had identified a new macOS ransomware dubbed ThiefQuest, which exhibited multiple behaviors, including file data exfiltration, encryption, and keylogging. But the operators made simple yet significant mistakes in their malware encryption routine, which has brought its game to an end.
The solution was hidden in the problem itself
A deep insight into the encryption process of the malware revealed some interesting information. The trump card for this achievement was the poor coding of the ThiefQuest ransomware that allowed the recovery of encrypted files.
- ThiefQuest malware used a custom symmetric encryption routine based on the RC2 algorithm rather than public-key encryption. Also, the function in charge of the encryption came with an extra data block which contained the encryption/decryption key and the key that can encode it.
- Ultimately, it turns out that the attackers forgot to remove the function responsible for the decryption job. After that was obtained, it was easy for researchers to devise a decryption tool.
- Following a reverse engineering process, SentinelLabs researchers were able to create a free public decryptor tool, which was released under the GNU GPL v2.0 free software license.
Attackers forgot something else as well
Hackers had made a few more mistakes in the malware deployment. When the attackers encrypted the files, they demanded ransom but only provided a bitcoin wallet address to transfer the funds. The attackers provided no email address in the ransom note for instructions about decryption or to verify ransom payment. So the victims weren’t left with many options to reach out to the attackers.
Other serious macOS threats
In the above case, the privacy of the data is not guaranteed but the decryption is. However, not every malware operator serves the solution as a piece of cake. In some recent incidents, malware operators used sneaky and harmful tactics to spread infection on macOS users.
- In June, new variants of Mac malware OSX/Shlayer and OSX/Bundlore tricked victims into bypassing Apple’s built-in macOS security protections to spread malware through malicious results in Google searches.
- Earlier in January, Iranian threat actor groups APT33 and COBALT GYPSY spread the PupyRAT via spear-phishing attacks infiltrate Windows, Linux, macOS, and Android devices to gather sensitive information.