Things that happen every four years: Olympic Games, Presidential elections, and now new Mac ransomware

EvilQuest targets Mac pirates, poses as legit network security and music tools

Security bods are sounding the alarm following the discovery of a rare brand-new strain of Mac ransomware.

Known as EvilQuest, the software nasty was spotted spreading via Russian piracy and torrent sites. The team at infosec outfit Malwarebytes told The Register on Tuesday the malware is the first new piece of macOS ransomware it has detected in the past four years.

Malwarebytes director of Mac and Mobile Thomas Reed said in one sample he analyzed, the malware posed as an installer for the legit, and highly useful, network monitoring tool Little Snitch. EvilQuest has also been spotted pretending to be music-making suite Ableton Live and tuning software Mixed in Key. K7 threat researcher Dinesh Devadoss also reported discovering the ransomware masquerading as a Google software update.

In each case, it appears the ransomware's author simply injected their code into an otherwise legitimate installer. Running the tainted installer code begins the infection process, and after checking whether or it's running in a virtual machine, and for the presence of debugging or antivirus tools, the file-scrambling ransomware starts, albeit on a time delay.

"It’s not unusual for malware to include delays. For example, the first ever Mac ransomware, KeRanger, included a three-day delay between when it infected the system and when it began encrypting files," Reed explained. "This helps to disguise the source of the malware, as the malicious behavior may not be immediately associated with a program installed three days before."

Once the delay runs out – the length of which isn't yet confirmed – the malware begins the process of encrypting files in advance of presenting the victim with a $50 (£40) ransom demand.

Fortunately, the ransomware doesn't appear to be particularly good at its job, and whoever wrote it left in a number of bugs and sloppy coding that can tip off savvy users that something is amiss.

FBI agent on a phone

University of California San Francisco pays ransomware gang $1.14m as BBC publishes 'dark web negotiations'


"The malware wasn't particularly smart about what files it encrypted, however. It appeared to encrypt a number of settings files and other data files, such as the keychain files," said Reed. "This resulted in an error message when logging in post-encryption."

At the same time, the author appears to have ambitions beyond just getting a ransom payout. The malware also has the ability to connect to a command-and-control server, and could add other malware modules.

Little Snitch developer, and macOS security guru, Patrick Wardle noted that in addition to the ransomware components, the malware also appears to have some limited keylogging ability, can possibly run purely in memory (thus making an infection a little more difficult to detect as it doesn't touch any storage) and has the ability to search for and exfiltrate wallet and keys to outside systems.

"Finally, the malware may also try to create a reverse shell if certain preconditions are met," said Wardle. "Armed with these capabilities the attacker can maintain full control over an infected host."

Other than running decent antivirus tools, and not downloading stuff from shady pirate sites and torrents, Reed recommends users protect themselves by maintaining multiple offline backups, so that they can simply wipe and restore their Mac should ransomware strike.

"Keep at least two backup copies of all important data, and at least one should not be kept attached to your Mac at all times," said Reed. "Ransomware may try to encrypt or damage backups on connected drives." ®

Other stories you might like

  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Slack-for-engineers Mattermost on open source and data sovereignty
    Control and access are becoming a hot button for orgs

    Interview "It's our data, it's our intellectual property. Being able to migrate it out those systems is near impossible... It was a real frustration for us."

    These were the words of communication and collaboration platform Mattermost's founder and CTO, Corey Hulen, speaking to The Register about open source, sovereignty and audio bridges.

    "Some of the history of Mattermost is exactly that problem," says Hulen of the issue of closed source software. "We were using proprietary tools – we were not a collaboration platform before, we were a games company before – [and] we were extremely frustrated because we couldn't get our intellectual property out of those systems..."

    Continue reading
  • UK government having hard time complying with its own IR35 tax rules
    This shouldn't come as much of a surprise if you've been reading the headlines at all

    Government departments are guilty of high levels of non-compliance with the UK's off-payroll tax regime, according to a report by MPs.

    Difficulties meeting the IR35 rules, which apply to many IT contractors, in central government reflect poor implementation by Her Majesty's Revenue & Customs (HMRC) and other government bodies, the Public Accounts Committee (PAC) said.

    "Central government is spending hundreds of millions of pounds to cover tax owed for individuals wrongly assessed as self-employed. Government departments and agencies owed, or expected to owe, HMRC £263 million in 2020–21 due to incorrect administration of the rules," the report said.

    Continue reading
  • Internet went offline in Pakistan as protestors marched for ousted prime minister
    Two hour outage 'consistent with an intentional disruption to service' said NetBlocks

    Internet interruption-watcher NetBlocks has reported internet outages across Pakistan on Wednesday, perhaps timed to coincide with large public protests over the ousting of Prime Minister Imran Khan.

    The watchdog organisation asserted that outages started after 5:00PM and lasted for about two hours. NetBlocks referred to them as “consistent with an intentional disruption to service.”

    Continue reading
  • Suspected phishing email crime boss cuffed in Nigeria
    Interpol, cops swoop with intel from cybersecurity bods

    Interpol and cops in Africa have arrested a Nigerian man suspected of running a multi-continent cybercrime ring that specialized in phishing emails targeting businesses.

    His alleged operation was responsible for so-called business email compromise (BEC), a mix of fraud and social engineering in which staff at targeted companies are hoodwinked into, for example, wiring funds to scammers or sending out sensitive information. This can be done by sending messages that impersonate executives or suppliers, with instructions on where to send payments or data, sometimes by breaking into an employee's work email account to do so.

    The 37-year-old's detention is part of a year-long, counter-BEC initiative code-named Operation Delilah that involved international law enforcement, and started with intelligence from cybersecurity companies Group-IB, Palo Alto Networks Unit 42, and Trend Micro.

    Continue reading

Biting the hand that feeds IT © 1998–2022