Security professionals have discovered the new EvilQuest ransomware targeting macOS devices. EvilQuest is more than just an encryptor: the malware also installs a keylogger and a reverse shell on infected machines for complete control over compromised hosts.
The first new threat the other day noticed K7 Lab analyst Dinesh Devadoss, but according to experts, EvilQuest has been active since at least the beginning of June 2020.
Currently, many new experts in the field of information security are studying the new malware. Among them are Patrick Wardle, Principal Investigator at Jamf Security and Founder of Objective-See; Head of Mac & Mobile at Malwarebytes Thomas reed (Thomas Reed) as well Phil Stokes (Phil Stokes), macOS security researcher at SentinelOne.
Reed and Stokes focused their efforts on finding an error or bug in the encryption scheme of the new ransomware, because a similar problem could be used to create a decryptor, and affected users would be able to recover their files without paying a ransom.
Reed told reporters Zdnetthat EvilQuest can be found in pirated software for macOS, posted on various torrent trackers and forums. Devadoss found EvilQuest in the Google Software Update, Wardle found EvilQuest samples in the pirated version of the popular DJ software Mixed In Key, and Reid spotted the malware in macOS Little Snitch.
At the same time, Reed is convinced that the ransomware is most likely distributed much wider and uses much more applications, not only the ones listed above.
Patrick Wardle has already published his own technical analysis EvilQuest. He writes that the malware is quite simple and proceeds to encrypt user files immediately after execution. As soon as encryption is completed, the user sees a pop-up window where they are informed about data infection and encryption.
The victim also receives instructions: open a ransom note (a text file located on the desktop). Victims are asked to pay $ 50 ransom in cryptocurrency for three days (72 hours).
Interesting that EvilQuest uses the same static bitcoin-address for all victims, and the intruder’s note does not contain an email address for communication. In fact, because of this,intruders cannot identify the victims who paid the ransom in any way, and the victims cannot contact the Malvari operators to decrypt the data.
Because of this the founder Bleeping computer Lawrence Abrams writes that all these features clearly indicate that EvilQuest is not an ordinary ransomware, but a viper (wiper, from English to wipe – “erase”), that is, a destructive malware that simply destroys files. Abrams is convinced that the ransomware is just a cover for the true goals of the criminals, namely the search and file theft of certain types.
So, the ransomware encrypts any found files with the following extensions: .pdf, .doc, .jpg, .txt, .pages, .pem, .cer, .crt, .php, .py, .h, .m, .hpp, .cpp, .cs, .pl, .p, .p3, .html, .webarchive, .zip, .xsl, .xslx, .docx, .ppt, .pptx, .keynote, .js, .sqlite3, .wallet .dat.
After completing the encryption, the malware installs a keylogger on the infected device to intercept keystrokes and reverse shell, giving its operators the opportunity to connect to the infected host and execute arbitrary commands. EvilQuest also attempts to steal the following types of files, usually associated with cryptocurrency wallet applications: Wallet.pdf, Wallet.png, Key.png, as well as * .P12.
But Lawrence Abrams notes that besides this, EvilQuest steals files from the / Users folder and sends them to the remote URL. So, the malware is interested in any files with the extensions .pdf, .doc, .jpg, .txt, .pages, .pem, .cer, .crt, .php, .py, .h, .m, .hpp, .cpp, .cs, .pl, .p, .p3, .html, .webarchive, .zip, .xsl, .xslx, .docx, .ppt, .pptx, .keynote, .js, .sqlite3, .wallet, .dat .
EvilQuest can check whether it works on a virtual machine and has anti-debugging capabilities. Malware is also wary of a number of common defensive solutions, including Little Snitch, Kaspersky, Norton, Avast, DrWeb, Mcaffee, Bitdefender, and Bullguard.
To obtain the IP address of the management server, download additional files and send data, the malware connects to the address http: //andrewka6.pythonanywhere (.) com / ret.txt.
Thomas Reed, also presenting EvilQuest proprietary analysis, notes that the ransomware is trying to modify the files of the Google Chrome update mechanism, and use them as a save vector on infected hosts. Apparently, the attackers did not take into account that upon startup, Chrome will detect these changes and immediately replace the files with clean copies.
Patrick Wardle writes that he released the tool in 2016 Ransomwhere able to detect and stop the launch of EvilQuest. In turn, Thomas Reed notes that Malwarebytes for Mac has already been updated and now also detects and stops the new ransomware before it can do any damage.
It is worth noting that EvilQuest is just the third known ransomware known to information security experts for macOS. Before him, in 2016-2017, experts found only two threats of this kind – KeRanger and Patcher. Also back in 2014, Kaspersky Lab experts reported malware Filecoderhowever, it did not function properly. A similar case was in 2015, when a Brazilian researcher created a proof-of-concept malvari for macOS called Mabouia, which worked, however, did not reach the general public.