ThiefQuest malware for macOS is a triple threat

In June, security researchers discovered a new variant of Mac malware: ThiefQuest (also known as EvilQuest, EffectiveIdiot, and Mac.Ransom.K). 

ThiefQuest created a flurry of excitement in the Mac security community, because it appeared to be something extremely rare: honest-to-goodness ransomware for macOS. However, after further analysis, it turned out to be something even more interesting: an evolving hybrid threat that combines ransomware, spyware, and data theft capabilities.

Distribution method

ThiefQuest is being distributed through malicious installer files for pirated apps, including the DJ app Mixed In Key, the music production app Ableton, and the firewall app Little Snitch. It should be noted that all of these apps are legitimate software, and that their developers have nothing to do with ThiefQuest — only the pirated versions of the apps contain malicious components.

If a trojanized installer is not signed with an Apple Developer ID, users will see a warning when they click on it, but they will have the option to ignore this warning and launch the app anyway.

ThiefQuest as ransomware

ThiefQuest, at first glance, appears to be ransomware for macOS. When its ransomware functionality is triggered, ThiefQuest begins encrypting files on the infected system, and eventually directs the victim to a simple ransom note on their Desktop. The note informs the user that they have been infected, and instructs them to send $50 in bitcoin to an anonymous Bitcoin wallet address. 

However, there are several reasons to suspect that the ransomware functionality of ThiefQuest isn’t really its primary purpose at all.

First of all, ThiefQuest doesn’t appear to take encryption all that seriously. It uses a weak standard to encrypt the compromised machine’s files — a fact that allowed malware researchers at SentinelOne to build a working decryptor tool within weeks of the new malware’s discovery.

Secondly, as security researcher Phil Stokes points out, ThiefQuest demands a relatively paltry ransom (just $50 USD), and offers no way for a victim to contact the bad guys to inform them that the ransom has been paid. In addition, researchers have noticed that the Bitcoin wallet address given in several different samples is identical, meaning that if one of the ransomware’s victims did decide to pay, there would be no way for anyone to know which infected computer had actually paid the ransom. As Stokes wryly notes, that generic Bitcoin wallet address has seen a grand total of zero transactions — meaning that whatever else it may be, ThiefQuest is not exactly a model of persuasive ransomware!

A final oddity of this “ransomware” is that it appears to leave an infected computer mostly intact: even after it is active, victims can still access and use their systems.

All of this means that if ThiefQuest is only ransomware and nothing more, then things don’t add up. It’s either very badly designed ransomware, or it’s something else — perhaps something that was never intended as ransomware in the first place — with the half-baked ransomware functionality serving as a distraction.

ThiefQuest as spyware and data exfiltration malware

Upon closer inspection, the security researchers analyzing ThiefQuest discovered that it was indeed much more than just shoddy ransomware!

In his detailed two-part analysis, Patrick Wardle notes that the malware’s code contains evidence of spyware functionality. There is a command that starts up a keylogger, and then records keypresses on the system and passes them on to several other functions,  which allows the captured data to be outputted as formatted strings. 

Wardle also found that ThiefQuest is designed to steal certain types of files from its victims. Once activated, the malware’s data exfiltration functionality creates an inventory of the directories and files on the infected machine, and then searches for files that fall into certain sensitive categories (in particular, certificates, cryptocurrency wallets, and keys). If ThiefQuest finds files of interest, it will send their contents back to its command and control server.

ThiefQuest can also contact its C&C server to receive malicious payloads, which can then be executed on the infected machine. The malware appears to support both in-memory payload execution and, as a backup, on-disk execution. In addition, ThiefQuest is able to execute commands given to it by the remote server, and it can also retrieve encoded files and download them onto a compromised system.

In short, whatever failings ThiefQuest may have in the ransomware department, it more than makes up for them with the sophistication and power of its spyware and data exfiltration capabilities!

Other notable features

ThiefQuest has a few other interesting features that are worth mentioning.

Once launched, the malware checks to see if it’s running in a virtual machine (VM) or not. VMs are virtualized operating systems that run in specialized software on a host computer, sort of an “OS within an OS”. Security researchers use virtual machines to study malware safely, so this VM check may indicate that ThiefQuest is attempting to avoid analysis. 

In addition, ThiefQuest checks the processes currently running on the system and looks for well-known security products; if it finds one of these, the malware will attempt to shut it down in order to prevent detection.

Finally, ThiefQuest appears to be under active development. New variants have already appeared since the malware was first discovered and analyzed, and one of the new samples even appears to call out Wardle by name — it contains an encrypted string which, when decoded, reads “Hello Patrick”. Whatever else you can say about them, ThiefQuest’s authors appear to have a sense of humor!

How to avoid infection

ThiefQuest is a serious and potentially dangerous hybrid threat for macOS. But there are several simple things you can do to stay safe:

1. 1

   Say no to piracy

   At the time of writing, all samples of ThiefQuest discovered “in the wild” have been found in pirated versions of popular software. Such pirated apps are often distributed through forums and on filesharing sites. The best way to prevent a ThiefQuest infection is to avoid pirated software and the websites that distribute it. Ethical and legal considerations aside, pirated apps are one of the most common infection vectors used by Mac malware — reason enough to stay far away from them.

2. 2

   Follow app safety guidelines

   Make sure you’re following best practices for running apps safely on your Mac. Only download apps from the Mac App Store, or directly from the website of an app developer that you know and trust. In addition, pay attention to the alert dialogs shown by macOS. If your Mac warns you that an app hasn’t been signed with a valid Apple Developer ID, then don’t install that app!

3. 2

   Use an anti-malware tool

   Mac users should always run a reputable, regularly updated malware detection tool as an added precaution. Such tools are equipped to detect newer malware variants like ThiefQuest, and in addition will help keep you safe from Potentially Unwanted Programs, keyloggers, and other security and privacy threats. If you don’t have this kind of protection on your system yet, MacScan 3 is available as a 30-day trial download (and has already been updated with definitions for multiple variants of ThiefQuest).

ThiefQuest is a fascinating piece of malware from a security research standpoint, and a prime example of the continuing evolution of Mac malware. But it’s also a potentially serious threat to Mac users — so if you have additional questions about how to keep yourself safe from ThiefQuest, or deal with a possible infection, please feel free to reach out to us and ask for help.