Mac is one of the most secure devices in the world. In other words, being infected with malware doesn’t come along very often. However, when it does, it will definitely make the news.
Unfortunately, Mac’s super security measures did not fend off one new ransomware that goes by the name of EvilQuest. It has it in the name “Evil” as it, just like any other ransomware, encrypts the target’s files and asks for money in exchange for them.
Apparently, EvilQuest is distributed through pirated applications. According to researchers, it is packaged along with legitimate apps, which upon setting up on the device, disguises itself as Google Software Update or Apple’s CrashReporter.
Once installed, all the malicious acts start to surface. The ransomware was discovered on June 29th, 2020. However, further evidence shows that it has been around since the start of June 2020.
How Does It Work?
We’re used to how ransomware works nowadays. However, with each incident, we notice a different method, technique, or algorithm used in the cybercrime at hand.
EvilQuest is no different as it also has some uniqueness among other previous ransomware examples. It’s already a known fact that the ransomware encrypts user data and charges money in exchange for decryption.
However, to add more salt to the injury, EvilQuest also installs a keylogger, along with a reverse shell on the system. Not to mention codes that harvest cryptocurrency wallet files.
As reported by Strokes, the ransomware files with certain extensions. We’re referring to the likes of:
.pdf, .doc, .jpg, .txt, .pages, .pem, .cer, .crt, .php, .py, .h, .m, .hpp, .cpp, .cs, .pl, .p, .p3, .html, .webarchive, .zip, .xsl, .xslx, .docx, .ppt, .pptx, .keynote, .js, .sqlite3, .wallet, .dat.
We already mentioned what the ransomware installs, but here’s why:
- Keylogger: To record all the user̵
- Reverse Shell: To connect to the infected host and run custom commands at will.
Finally, the attacker tends to steal types of files employed by cryptocurrency wallet apps. The types usually come in the form of wallet.png, key.png, .p12, and wallet.pdf.
Now, once the target’s device is infected, the ransomware encrypts the device and sends the following request.
After that, it redirects him/her to open a READ_ME_NOW ransom note that comes in the form of a text file.
The note can be found on the Mac’s desktop and it looks like the image below:
Three experts are investigating the ransomware now: Patrick Wardle, Principal Security Researcher at Jamf, Thomas Reed, Director of Mac & Mobile at Malwarebytes, and Phil Stokes, macOS security researcher at SentinelOne.
According to Thomas Reed:
“To start, the legitimate Little Snitch installer is attractively and professionally packaged, with a well-made custom installer that is properly code signed.
However, this installer was a simple Apple installer package with a generic icon. Worse, the installer package was pointlessly distributed inside a disk image file.”
Every malware/ransomware has a source and this one appears to be trojanized versions of popular macOS software.
We’re referring to software such as Mixed In Key 8 (DJ Software), Ableton Live, and Little Snitch, which are distributed on popular torrent sites.
With such ransomware, Wardle stated that the attacker can maintain full control over an infected host.
Ransomware is dangerous and one should always be careful of what he/she is downloading. You never know when a hacker is disguising himself as a legit application.
To avoid such predicament, you can always install antivirus software, update your system, stay away from unnecessary apps, and install Virtual Private Networks on your devices.
There are websites such as The VPN Guru that can help enhance your knowledge and provide you with comprehensive guides reflecting security and privacy measures you should take.