The threat of ransomware may seem ubiquitous, but there haven’t been too many strains tailored specifically to infect Apple’s Mac computers since the first full-fledged Mac ransomware surfaced only four years ago. So when Dinesh Devadoss, a malware researcher at the firm K7 Lab, published findings on Tuesday about a new example of Mac ransomware, that fact alone was significant. It turns out, though, that the malware, which researchers are now calling ThiefQuest, gets more interesting from there. (Researchers originally dubbed it EvilQuest until they discovered the Steam game series of the same name.)
In addition to ransomware, ThiefQuest has a whole other set of spyware capabilities that allow it to exfiltrate files from an infected computer, search the system for passwords and cryptocurrency wallet data, and run a robust keylogger to grab passwords, credit card numbers, or other financial information as a user types it in. The spyware component also lurks persistently as a backdoor on infected devices, meaning it sticks around even after a computer reboots, and could be used as a launchpad for additional, or “second stage,” attacks. Given that ransomware is so rare on Macs to begin with, this one-two punch is especially noteworthy.
“Looking at the code, if you split the ransomware logic from all the other backdoor logic the two pieces completely make sense as individual malware. But compiling them together you’re kind of like what?” says Patrick Wardle, principal security researcher at the Mac management firm Jamf. “My current gut feeling about all of this is that someone basically was designing a piece of Mac malware that would give them the ability to completely remotely control an infected system. And then they also added some ransomware capability as a way to make extra money.”
Though ThiefQuest is packed with menacing features, it’s unlikely to infect your Mac anytime soon unless you download pirated, unvetted software. Thomas Reed, director of Mac and mobile platforms at the security firm Malwarebytes, found that ThiefQuest is being distributed on torrent sites bundled with name-brand software, like the security application Little Snitch, DJ software Mixed In Key, and music production platform Ableton. K7’s Devadoss notes that the malware itself is designed to look like a “Google Software Update program.” So far, though, the researchers say that it doesn’t seem to have a significant number of downloads, and no one has paid a ransom to the bitcoin address the attackers provide.
For your Mac to become infected, you would need to torrent a compromised installer and then dismiss a series of warnings from Apple in order to run it. It’s a good reminder to get your software from trustworthy sources, like developers whose code is “signed” by Apple to prove its legitimacy, or from Apple’s App Store itself. But if you’re someone who already torrents programs and is used to ignoring Apple’s flags, ThiefQuest illustrates the risks of that approach.
Apple declined to comment for this story.
What does it want?
Though ThiefQuest has an extensive suite of capabilities in fusing ransomware with spyware, it’s unclear for what ends, particularly because the ransomware component seems incomplete. The malware shows a ransom note that demands payment, but it only lists a static bitcoin address where victims can send money. Given bitcoin’s anonymity features, attackers who intended to decrypt a victim’s systems upon receiving payment would have no way to tell who had paid already and who hadn’t. Additionally, the note doesn’t list an email address that victims can use to correspond with the attackers about receiving a decryption key—another sign that the malware may not actually be intended as ransomware. Jamf’s Wardle also found in his analysis that, while the malware has all the components it would need to decrypt the files, they don’t seem to be set up to actually function in the wild.
The researchers also emphasize that attackers looking to conduct clandestine reconnaissance with spyware usually want to be as discrete and inconspicuous as possible. Adding ransomware into the mix simply announces the malware’s presence and would likely change a user’s behavior on the device, because all of their files are being encrypted and they’re seeing a dramatic ransom note on their screen. It’s not a situation where you would be likely to do some casual online shopping or log into your bank account. By the same token, ransomware doesn’t usually need to establish persistence on a device and endure through reboots, because it simply needs to initiate the encryption process. When a program announces itself as malware and then persists, it simply makes it more likely that the security community will flag and analyze the software to block it in the future.
“I would think if your main goal was data exfiltration you would want to stay in the background, do that as silently as possible, and have the best chance of going undetected,” Malwarebytes’ Reed says. “So I don’t really understand the point of this very noisy ransomware. When I installed it for testing, every 30 seconds the computer was screaming at me, beeping at me all the time. It’s really noisy in both the literal and digital sense.”
The malware does include some obfuscation features to help it hide out. The malware won’t run if it detects certain security tools like Norton Antivirus. It also lays low if it’s being opened in a digital environment that’s often used for security testing, like a sandbox or virtual machine. And when analyzing the code itself, the researchers say that some components were carefully obscured so it would be difficult to understand what they do. Strangely, though, others were left out in the open for anyone to see.
Wardle theorizes that the malware may have been intended to quietly run its spyware module first, collect valuable data, and only launch the noisy ransomware as a last-ditch effort to gather some funds from a victim before moving on. In testing, some researchers found it harder than others to induce the malware to start encrypting files as part of its ransomware functionality, which may support Wardle’s theory. But the malware is buggy, and for now it’s unclear what the developers’ true intent is.
Given that the malware is being distributed through torrents, seems to focus on stealing money, and still has some kinks, the researchers say it was likely created by criminal hackers rather than nation-state spies looking to conduct espionage. It’s not entirely uncommon in the realm of Windows malware to don a ransomware guise as a distraction or false flag. The NotPetya malware, which caused the most impactful and costly cyberattack in history, pretended to be ransomware, after all. Still, given how rare Mac ransomware is, it’s surprising to see ThiefQuest take such a murky approach.
Perhaps the malware is using ransomware’s hallmark file encryption as a destructive tool in an attempt to permanently lock users out of their computers. Or maybe ThiefQuest is just looking to get as much money out of victims as possible. The real question with Mac ransomware, as always, is what will come next?
This story first appeared on wired.com.