The ransomware threat may seem ubiquitous, but there haven't been too many tribes specifically designed to infect Apple's Mac computers since the first full-fledged Mac ransomware surfaced just four years ago. When Dinesh Devadoss, a malware researcher at K7 Lab, released results on a new example of Mac ransomware on Tuesday, that fact alone mattered. However, it turns out that the malware that researchers now call ThiefQuest is getting more interesting from there. (Researchers originally called it EvilQuest until they discovered the Steam game series of the same name.)
In addition to ransomware, ThiefQuest has a number of other spyware features that filter files from an infected computer, search the system for passwords and cryptocurrency wallet data, and run a robust keylogger to capture passwords, credit card numbers, or other financial information, when a user enters them. The spyware component also lurks permanently as a back door on infected devices, which means that it persists even after the computer is restarted and can be used as a launchpad for additional or "second stage" attacks. Given that ransomware is so rare on Macs initially, this double strike is particularly noteworthy.
"If you look at the code and separate the ransomware logic from the other backdoor logic, the two parts make complete sense as single malware. But when you put them together, you're kind of like what?" says Patrick Wardle, chief security researcher at Mac management company Jamf. "My current gut feeling about all of this is that someone basically developed a Mac malware that allows them to fully control an infected system remotely. They also added some ransomware features to make extra money."
Even though ThiefQuest comes with threatening features, your Mac is unlikely to get infected soon unless you download pirated, unchecked software. Thomas Reed, Mac and Mobile Platform Director at security firm Malwarebytes, noted that ThiefQuest is being distributed across torrent sites bundled with branded software such as Little Snitch security application, Mixed In Key DJ software, and Ableton music production platform . K7's Devadoss notes that the malware itself looks like a "Google Software Update Program". So far, however, the researchers say that there appear to be no significant number of downloads and no one has paid a ransom for the bitcoin address provided by the attackers.
In order for your Mac to get infected, you need to torrent a compromised installer and then exclude a series of warnings from Apple to run it. It's a good reminder that you get your software from trusted sources, such as: B. from developers whose code was "signed" by Apple to prove their legitimacy, or from the Apple App Store. However, if you are already torrenting programs and are used to ignoring Apple's flags, ThiefQuest shows the risks of this approach.
Apple declined to comment on the story.
What does it want
Although ThiefQuest has an extensive range of functions for merging ransomware with spyware, it is unclear what this is for, especially because the ransomware component appears to be incomplete. The malware displays a ransom note that asks for payment, but only lists a static Bitcoin address that victims can send money to. Given Bitcoin's anonymity capabilities, attackers who wanted to decrypt a victim's systems after receiving payment would have no way of knowing who paid and who didn't. In addition, the notice does not include an email address that victims can use to correspond with attackers on receiving a decryption key – another sign that the malware may not be intended as ransomware. Jamfs Wardle also found in his analysis that while the malware contains all the components necessary to decrypt the files, it does not appear to be set up to actually work in the wild.
The researchers also emphasize that attackers who want to spy on spyware usually want to be as discreet and unobtrusive as possible. Adding ransomware to the mix merely announces the presence of the malware and would likely change the behavior of a user on the device as all files are encrypted and a dramatic ransom note is displayed on the screen. It is not a situation where you would likely occasionally shop online or log into your bank account. For the same reason, ransomware does not normally have to persist on a device and do not need to restart since only the encryption process needs to be initiated. If a program logs in as malware and then persists, the security community is simply more likely to flag and analyze the software to block it in the future.
"I would think that if your main goal was data exfiltration, you want to stay in the background, do it as quietly as possible and have the best chance of being undetected," said Reed of Malwarebytes. "I don't really understand the point of this very loud ransomware. When I installed it for testing, the computer shouted at me every 30 seconds and beeped all the time. It is very loud both literally and digitally."
The malware contains some obfuscation features that help it hide better. The malware does not run when certain security tools such as Norton Antivirus are detected. It is also low when opened in a digital environment that is often used for security testing, e.g. B. in a sandbox or a virtual machine. And when analyzing the code itself, the researchers say that some components have been carefully hidden, making it difficult to understand what they are doing. Oddly, others were left open so that everyone could see them.
Wardle suspects that the malware may have been intended to silently run its spyware module first, collect valuable data, and only start the noisy ransomware as a last attempt to collect money from a victim before proceeding. When tested, some researchers found it more difficult than others to persuade malware to encrypt files as part of their ransomware functionality, which may support Wardle's theory. But the malware is buggy and it is currently unclear what the developers' real intent is.
Given the fact that the malware is spreading through torrents, seems to focus on the theft of money, and still has some problems, the researchers say it is likely to have been caused by criminal hackers rather than nation-state spies who engage in espionage want. In the area of Windows malware, it's not uncommon to use ransomware as a distraction or false flag. The NotPetya malware that caused the most effective and costly cyberattack in history eventually pretended to be ransomware. Given the rarity of Mac ransomware, it's surprising that ThiefQuest is taking such a dark approach.
The malware may use ransomware's file encryption as a destructive tool to permanently ban users from their computers. Or maybe ThiefQuest is just trying to get as much money out of the victims as possible. The real question with Mac Ransomware, as always, is what's next.
This story first appeared on wired.com.