ThiefQuest Ransomware Masks its True Intentions

Security researchers recently discovered a new ransomware strain called ThiefQuest targeting macOS users.

What is special about ThiefQuest?

Dubbed as ThiefQuest, the new ransomware strain encrypts the victim’s files and installs a reverse shell and keylogger. Moreover, it steals cryptocurrency wallet-related files from the hosts. These additions make it different from other ransomware strains.

Hidden motives

  • Researcher Patrick Wardle discovered keylogging and backdoor code in the new ransomware strain which separates it from most other strains.
  • The ransom note left behind demands for $50 from the victim which is an unusually small ransom demand. Moreover, it does not provide any email address to contact the operators for ransom payment.
  • Also, Wardle found that the decryption routine present in the malware was never executed, meaning it was already broken.
  • This indicates that ransomware functionality was only a distraction to hide its true intention of exfiltrating sensitive user data.
  • It includes a Python script that looks for for files with certain extensions, such as .pdf, .doc, .jpg, etc in the /Users/ folder

Distribution method

  • The ransomware is in distribution since the beginning of June 2020.
  • The propagation is through a pirated macOS software uploaded on online forums and torrent platforms. 
  • The ransomware has been spotted hidden inside a software package known as Google Software Update.
  • Samples have been found in a pirated version of a popular DJ software Mixed In Key and inside the macOS security tool - Little Snitch.
  • Furthermore, there are possible apps that are leveraged to distribute EvilQuest. 

Stay safe but how?

  • Stick to trusted third-party developers, along with the official Mac App Store.
  • Maintain a reliable set of data backups.

The takeaway

This is the third ransomware found specifically targeting macOS devices, after Patcher and KeRanger. Although ransomware strains aimed at macOS users are not too ubiquitous, instances like these keep popping up from time to time. Hence, macOS users are advised to follow strict security etiquettes to avoid being targeted by such threats.