ThiefQuest: The new macOS ransomware that’s more than it seems

Last week a new macOS malware threat was discovered. Mac ransomware, while not unheard of, is still interesting enough to be of interest to security researchers. So, when Dinesh Devadosh of K7 Labs announced his discovery over twitter. His colleagues; Phil Stokes of SentinelOne, Thomas Reed of Malwarebytes and Patrik Wardle of Objective See, all started to dig.

The initial analysis by Reed and Wardle as well as that by Devadosh revealed a lot about how the malware works, its distribution methods, its analysis evasion techniques and its capabilities. ThiefQuest, originally named EvilQuest but later renamed after researches realized that Evilquest was the name of a popular PC game, was found to be included as a Trojan on several pirated pieces of software distributed on torrent sites. The malware itself employs several techniques to avoid detection by AV and analysis. It uses a valid signature to appear more legitimate, attempts to determine if it is in a sandbox or being debugged, kills processes known to belong to AV products and obfuscates its code, strings and the scripts it downloads. ThiefQuest has persistence capabilities as well, copying itself to a location where it will be automatically run as well as recreating itself from memory if its executable files are removed. In addition to encrypting files, the malware opens up a connection to a command and control (C2) server. If and when the malware does encrypt files, a ransom message is displayed.

At this point, the analysis started to question whether this was really ransomware at all. Malwarebytes and Bleeping Computer published reports postulating that perhaps this malware is really a data exfiltrator and wiper. Some evidence:

• ThiefQuest actively searches and exfiltrates files with specific names and extensions, such as private keys and bitcoin wallets.
• The decryption command though it exists in the code, is never actually called. So its unlikely that paying the ransom will result in any files actually being decrypted
• The malware connects to a C2 server, downloads additional payloads and persists, where typical ransomware is more likely to “self-destruct”
• Its not great at encrypting files, many times not even bothering to encrypt at all
• There’s no way to get in-touch with the criminals, also the provided bitcoin address is static so no way to know who actually paid it
• The ransom of $50 in grossly under the average amount asked for by typical extortion schemes. Moreso, ransomware typically quotes pricing in bitcoin instead of USD.
• While the malwares authors claim to encrypt with “unbreakable” AES-256, in reality they use a weaker RC2 algorithm and store the key in the encrypted file. This allowed SentinelOne to create a decryption tool
• So far its not very successful as ransomware. At the time of this writing the bitcoin address provided has not received any payments.

So what’s the deal?

It’s possible this is part of targeted attack. Wardle notes that malware contains a function “is_targeted” that may be limiting functionality to systems with a mac address where the first byte is 0x0. Felix Seele from VMRay found that a connection to a C2 server is established if the user Mr.X exists on the system. Reed suggests that while, targeted malware has been known to spread itself wide to “cover its tracks” and hide it true targets, that at this point there’s nothing to indicate it is targeted and that its true value may just be to steal bitcoin wallets.

Its also possible that the malware is just a proof of concept. One of the python files downloaded by the malware includes the following comment:

# TODO: PoCs are great but this thing will
# deliver much better when implemented in
# production

The malware itself is still being actively developed with new versions that seem to call out Wardle, adding a string “Hello Patrick” and detection for his AV tool, Knock Knock.

This isn’t the first and certainly won’t be the last macOS ransomware. As macOS becomes more accepted in the enterprise, malware for mac will become more commonplace. The evasive techniques used by ThiefQuest are now unsurprising, when even a few years ago they may have been notable. More and more malware is coming with valid signed certificates as well. ThiefQuest itself was only discovered a week ago and so its likely that we’ll learn more in the weeks to come. Until then, Mac users, including a certain Pulitzer Prize winning Mr.X, will want to be careful with what they download.