New 'EvilQuest' ransomware is actively targeting macOS users in the wild

Posted:
in General Discussion
A new piece of Mac ransomware distributed via pirated software, dubbed "EvilQuest," is actively targeting macOS users in the wild.

EvilQuest is a new piece of Mac ransomware, but also has capabilities that could allow attackers full access of infected Macs.
EvilQuest is a new piece of Mac ransomware, but also has capabilities that could allow attackers full access of infected Macs.


Although ransomware specifically aimed at Mac users are particularly rare, new instances of malicious software that encrypt user files and demands a ransom to unlock them do surface from time to time.

On Tuesday, several security researchers published analysis and reports of the newly discovered "OSX.EvilQuest" ransomware. First spotted by independent malware researcher Dinesh Devadoss, EvilQuest is said to have been circulating in the wild since the start of June 2020, ZDNet reported.

EvilQuest has a few nefarious additions that make it unique among ransomware examples. In addition to maliciously encrypting a user's files and charging money to unlock them, EvilQuest also installs a keylogger and a reverse shell on a system, along with code that steals cryptocurrency wallet files.

The EvilQuest ransom note. Credit: Patrick Wardle
The EvilQuest ransom note. Credit: Patrick Wardle


According to former NSA hacker and Jamf macOS security researcher Patrick Wardle, those capabilities could allow attackers "full control over an infected host."

As with previous pieces of Mac ransomware, it appears that EvilQuest is distributed via pirated software. Researchers have found it bundled in a package called Google Software Update, while others have seen it hidden in pirated versions of DJ app Mixed In Key and security tool Little Snitch.

According to Malwarebytes Mac & Mobile chief Thomas Reed, the ransomware also attempts to modify files in Google Chrome's update mechanism in an effort to gain persistence on an infected machine.

This the third instance of a piece of ransomware surfacing that specifically targets macOS users, following the discovery of Patcher in 2017 and KeRanger in 2016.

How to avoid or mitigate the EvilQuest ransomware

At this point, it appears that EvilQuest is solely being distributed through torrenting websites and pirated software. So if you stick to the Mac App Store or third-party developers that you trust, you should be able to avoid getting it.

There are also two apps that can mitigate the risks of EvilQuest for users.

Wardle's free and open-source RansomWhere? app can generically detect and stop ransomware on macOS. The latest version of Malwarebytes can also detect and mitigate EvilQuest before it does any damage.

Comments

  • Reply 1 of 16
    AppleInsider might also consider recommending regular OFFLINE backups of data your files in macOS.  (Offline meaning backups that are taken to external media, with the medium immediately disconnected from the computer after the backup is completed.)  Time Machine fits the bill here.  Even if you do get hit with the ransomware, there’s no reason to pay the ransom if you can restore from a previous back-up.
    jony0cornchipAndy.HardwakePetrolDavewatto_cobra
  • Reply 2 of 16
    razorpitrazorpit Posts: 1,796member
    AppleInsider might also consider recommending regular OFFLINE backups of data your files in macOS.  (Offline meaning backups that are taken to external media, with the medium immediately disconnected from the computer after the backup is completed.)  Time Machine fits the bill here.  Even if you do get hit with the ransomware, there’s no reason to pay the ransom if you can restore from a previous back-up.
    Problem is a lot of times the backups are hosed long before you even notice you were infected. Unless you have multiple Time Machine drives you rotate through I think you're still hosed.

    I don't have the time to research at the moment, but does iCloud Drive provide any ransomware protection?
    cornchipwatto_cobra
  • Reply 3 of 16
    razorpit said:
    Problem is a lot of times the backups are hosed long before you even notice you were infected. Unless you have multiple Time Machine drives you rotate through I think you're still hosed.

    I don't have the time to research at the moment, but does iCloud Drive provide any ransomware protection?
    That's why I use (and recommend) a 'Rotating Tower of Hanoi' structure for backup media. This goes back to the days of 2400ft Tape Reels.
    It applies just as much today as it did in the 1980's.
    I can go to the Fire Safe in my Garage and get a full Time Machine backup from January 2020 or December 2019 and other dates inbetween.
    headfull0wineiqatedocornchipAndy.Hardwakewatto_cobra
  • Reply 4 of 16
    j2fusionj2fusion Posts: 153member
    Another alternative is a cloud backup service such as Backblaze or Carbonite. These services keep multiple versions and are a good defense against physical loss such as a house fire or burglary. I’m not sure about Carbonite but Backblaze which I use is quite inexpensive. 
    headfull0winewatto_cobra
  • Reply 5 of 16
    Still another alternative is to not download pirated apps and stick as much as possible to software from the Mac Store and trusted vendors.
    headfull0winepeterhartbeeble42netroxlkruppjony0cornchipAndy.HardwakemcdavePetrolDave
  • Reply 6 of 16
    DAalsethDAalseth Posts: 2,783member
    razorpit said:
    AppleInsider might also consider recommending regular OFFLINE backups of data your files in macOS.  (Offline meaning backups that are taken to external media, with the medium immediately disconnected from the computer after the backup is completed.)  Time Machine fits the bill here.  Even if you do get hit with the ransomware, there’s no reason to pay the ransom if you can restore from a previous back-up.
    Problem is a lot of times the backups are hosed long before you even notice you were infected. Unless you have multiple Time Machine drives you rotate through I think you're still hosed.

    I don't have the time to research at the moment, but does iCloud Drive provide any ransomware protection?
    I asked the same question a while back on another site and was told that no it wouldn’t. I believe the issue is that the files on your desktop Mac get encrypted and the system sees that as an update, so they get pushed out to iCloud. 

    OTOH I keep a lot of my files only on iCloud. I don’t know if they would be isolated enough. 
    watto_cobra
  • Reply 7 of 16
    lkrupplkrupp Posts: 10,557member
    “At this point, it appears that EvilQuest is solely being distributed through torrenting websites and pirated software.”

    Wow, imagine that. Stupid is as stupid does. Between fake Flash installers and pirate sites I guess those who get nailed deserve it.

    So you’re pissed that your pirated version of Office is 32 bit so you go to a torrent to download another pirated copy of Office and wind up with ransomware. Too bad, so sad.
    edited June 2020 cornchipAndy.Hardwakewatto_cobra
  • Reply 8 of 16
    DAalsethDAalseth Posts: 2,783member
    You know it would be great if a reputable site we could trust like APPLEINSIDER would review Malware/Ransomeware packages. I think I should add one to my existing AV protection, but I don’t know what’s good and what is not.
    edited June 2020 dewmePetrolDaveaderutterwatto_cobra
  • Reply 9 of 16
    lkrupplkrupp Posts: 10,557member
    DAalseth said:
    You know it would be great if a reputable site we could trust like APPLEINSIDER would review Malware/Ransomeware packages. I think I should add one to my existing AV protection, but I don’t know what’s good and what is not.
    On the Apple discussion forums Apple Specialists are starting to recommend Malwarebytes to users. Malwarebytes has been recommended by volunteers for a couple of years now on those forums. The fact that Apple employees are now recommending it says a lot. There's a free version that lets you manually scan your system. The paid version monitors and scans on a regular basis. it can also remove any malware it finds. Malwarebytes is not AV software but scans for known malware and removes it. Its database is updated as new malware is discovered. I have it installed on my own system and it doesn't seem to affect performance at all, unlike some other AV software.
    edited July 2020 iqatedoAndy.HardwakePetrolDavewatto_cobra
  • Reply 10 of 16
    ahobbitahobbit Posts: 19member
    Still yet another alternative is to not use Chrome.
    At least for this case.

    The Google Updater that comes with it, seems to me to be a pretty invasive piece of software.
    It "phones home" to some Google server every 10-15 minutes and is quite hard to get rid of, even if you uninstall Chrome.
    No wonder that hackers hook into this for their uses.

    Chrome might have some nice features, but it is a terrible resource hog and the underpinnings are poorly written, I feel.
    Andy.Hardwakelkruppwatto_cobra
  • Reply 11 of 16
    ralphieralphie Posts: 102member
    Still another alternative is to not download pirated apps and stick as much as possible to software from the Mac Store and trusted vendors.
    Who’s to say a developer doesn’t unknowingly upload a virus laden app to the App Store. Apple doesn’t/can’t scrutinize for that. They barely even run apps submitted, just bare bones cursory launch, and automated check for use of private APIs. 
    cgWerks
  • Reply 12 of 16
    cgWerkscgWerks Posts: 2,952member
    ralphie said:
    Who’s to say a developer doesn’t unknowingly upload a virus laden app to the App Store. Apple doesn’t/can’t scrutinize for that. They barely even run apps submitted, just bare bones cursory launch, and automated check for use of private APIs. 
    Yeah, that's the problem... SO FAR it has only been some pirated versions (well, one a redistribution of something free), but it could eventually end up in legitimate apps. It wouldn't be the first time. Getting apps from the App Store and trusted developers certainly increases your odds of avoiding it, though.

    But as others have said, backups are crucial (anyway!). A couple different forms, too.

    Does anyone happen to know how these things get triggered? Are they typically manually triggered? Or, do they wait for so long after being 'installed' to trigger? (I'd assume the strategy is to wait a while, or people would more likely have unaffected backups. On the other hand, if they wait too long, they are more likely to be detected.)
    watto_cobra
  • Reply 13 of 16
    MarvinMarvin Posts: 15,309moderator
    cgWerks said:
    ralphie said:
    Who’s to say a developer doesn’t unknowingly upload a virus laden app to the App Store. Apple doesn’t/can’t scrutinize for that. They barely even run apps submitted, just bare bones cursory launch, and automated check for use of private APIs. 
    Yeah, that's the problem... SO FAR it has only been some pirated versions (well, one a redistribution of something free), but it could eventually end up in legitimate apps. It wouldn't be the first time. Getting apps from the App Store and trusted developers certainly increases your odds of avoiding it, though.

    But as others have said, backups are crucial (anyway!). A couple different forms, too.

    Does anyone happen to know how these things get triggered? Are they typically manually triggered? Or, do they wait for so long after being 'installed' to trigger? (I'd assume the strategy is to wait a while, or people would more likely have unaffected backups. On the other hand, if they wait too long, they are more likely to be detected.)
    There's a description of this malware here:

    https://www.bleepingcomputer.com/news/security/evilquest-wiper-uses-ransomware-cover-to-steal-files-from-macs/

    It says its starts automatically once the installer is run using a post-install script. It adds files to LaunchAgents too in order to launch beyond reboots. I really wish Apple would lock down the LaunchAgents feature. So few legitimate apps use it but so much malware does. That allows malware to start running again if it's stopped.

    It can be something as simple as having a system watcher on the LaunchAgents folders and popping up a dialog saying something modified a secure folder. For legitimate apps, the user can type in a password to verify and it would be a quick warning when something is wrong. There's a Mac app that does this by creating a safe profile and then comparing when new files appear in dangerous locations:

    https://sqwarq.com/detectx/

    It would also be useful to have something that verifies the process lists on a computer, which should be quite fast. So when a process starts from a path that is unusual and with other identifying features like a small executable or is trying to do something with a lot of files, the system can also flag up a warning. If a process that is new to the system starts deleting thousands of files, that's a pretty big red flag for malware and the system can stop the executable from doing this.

    I think new processes on a system should by default have only read access to the filesystem. The only time they need delete/write permissions is when the user explicitly interacts with them to save files.
    MplsPcgWerkswatto_cobra
  • Reply 14 of 16
    MplsPMplsP Posts: 3,911member
    Any word on whether the typical antivirus software will catch/stop this? 

    I agree the alert on thee launch agent folder would be a good idea; treat it as a protected folder that requires authentication to modify, just like adding an application.
    watto_cobra
  • Reply 15 of 16
    Hank2.0Hank2.0 Posts: 151member
    I asked the good folks at ClamAV if their Sentry could detect EvilQuest. Here is their answer...
    Thanks for getting in touch.
    Yes, Sentry protects against EvilQuest. We finished our analysis of it yesterday, shortly after it was announced, and updated the app to remove it.
    I hope this helps.
    Kind regards,
    Matt 

    Your ClamXAV Support Team


    MplsPwatto_cobra
  • Reply 16 of 16
    cgWerkscgWerks Posts: 2,952member
    Marvin said:
    It says its starts automatically once the installer is run using a post-install script. It adds files to LaunchAgents too in order to launch beyond reboots. I really wish Apple would lock down the LaunchAgents feature. So few legitimate apps use it but so much malware does. That allows malware to start running again if it's stopped.
    Yeah, if you go look, there are often a bunch of things there that you didn't realize or don't really need to be there. You should at least get notified and have to give it an OK, like so many other things these days.

    MplsP said:
    Any word on whether the typical antivirus software will catch/stop this? 
    Not sure, but the article lists a few ways to check for it at the end. I just fire up Malwarebytes once in a while.

    (As an aside, I almost feel bad just running the free mode, as they provide a useful service - though I've never found anything, nor with A/V since like back in OS7 days - but their subscription adds features I don't want and is kind of pricy, IMO. I'd be more likely to just buy a new version of it for $5-10 each time, or maybe $5-10/year. Do they actually get many buyers at $50+/yr?)
    watto_cobra
Sign In or Register to comment.