At the end of June 2020, information security specialists discovered the new ThiefQuest ransomware aimed at macOS devices. ThiefQuest is more than just an encryptor: the malware also installs a keylogger and a reverse shell on infected machines for complete control over compromised hosts.
Initially, the threat was given the name EvilQuest, but later the malware was renamed ThiefQuest. This decision was made to avoid possible confusion, since after the publication of the reports it became clear that there was a series of games called EvilQuest.
Experts wrote that the ransomware is distributed with pirated software, for example, ThiefQuest was found in the Google Software Update software package, in a pirated version of the popular DJ software Mixed In Key and the macOS Little Snitch security tool.
At the same time, it was noted that the malware uses the same static bitcoin address for all victims, and the ransom note does not contain an email address or other contacts for communication.
In fact, the attackers cannot somehow identify the victims who paid the ransom, and the victims cannot contact the Malvari operators to decrypt the data. Because of this, the founder of Bleeping Computer Lawrence Abrams suggested that ThiefQuest is not an ordinary ransomware, but a viper (wiper, from English to wipe – “erase”), that is, a destructive malware that simply destroys files. Abrams is convinced that the ransomware is just a cover for the true purposes of criminals, namely the search and theft of files of certain types.
Another theory says that while the malware is at an early stage of development, and not all of its functions are working properly so far.
ThiefQuest is just the third known ransomware known to security experts for macOS. Before him, in 2016-2017, experts found only two threats of this kind – KeRanger and Patcher. Also back in 2014, Kaspersky Lab experts reported malware Filecoderhowever, it did not function properly. A similar case was in 2015, when a Brazilian researcher created a proof-of-concept malvari for macOS called Mabouia, which worked, however, did not reach the general public.
Due to the features of ThiefQuest described above, the victims, in fact, lost access to their data permanently, and information security experts actively worked on hacking the malware, promising to try to create a free tool for decrypting files.
SentinelOne Experts This Week reportedthat analyzing the source code of the ransomware, as well as examining the differences between the encrypted files and their original versions, helped to understand the ThiefQuest encryption mechanism. The researchers found that ThiefQuest uses a simple encryption system with a symmetric key based on the RC2 algorithm and stores the encryption / decryption key inside each locked file.
As a result, SentinelOne engineers were able to create a free decryptor that extracts the aforementioned key and unlocks the victims files. Currently, the decoder is presented in the form of a binary, but the company said it plans to open its code in the future.
It is worth noting that Malwarebytes new report, Also published this week, it says that in addition to encrypting files, ThiefQuest infects local files and exhibits virus-like behavior. Therefore, in addition to decrypting files, additional cleaning of the system may be required to prevent re-infection.