The Fast-Evolving MacOS Malware - ThiefQuest

New ThiefQuest variants

• The malware authors have implemented a new routine for computing and calling the new functions’ addresses. As compared with earlier iterations of the malware, these new variants have even obfuscated the function names to make malware tracing more difficult.
• The malware has included new anti-analysis functions (some empty and some functioning) for condition checks like getting the MAC address, CPU count, and physical memory of the machine.
• It has also included more security tools by the security vendors like Avast, Bitdefender, Bullguard, DrWeb, Kaspersky, KnockKnock, Little Snitch, McAfee, Norton, and ReiKey to the list of check and termination process.

Gradually changing history

• ThiefQuest was initially a backdoor (June 4, 2020 sample) with the capability to modify the victim’s host file. Later it adopted File exfiltration capabilities (June 26, 2020 sample), and Ransomware behavior, and File infector behavior (July 2, 2020 sample).
• In the latest versions, the malware continued with the File infector capability and removed the Ransomware capability (July 3, 2020 sample).
• In mid-July, ThiefQuest operators used pirated software installers (including Little Snitch, Ableton, and Mixed In Key), and later it used keylogging and backdoor code in its ransomware strain to hide its true intentions.

Closing statement