EvilQuest, aka ThiefQuest, has been targeting Mac users and spreading through pirated versions of popular macOS software such as Little Snitch, Mixed in Key and Ableton Live. Little Snitch is a trustworthy and highly useful software that tells Mac users when other installed software is trying to make stealthy network connections that could put security at risk. Little Snitch is not a free program, so the hackers behind EvilQuest are preying on individuals looking to avoid paying the 45 dollars for the benefits of the software.
The infected pirated app includes a patch that purports to convert the free trial of Little Snitch into a full paid version. The patch instead infects the Mac and opens up communications to the command and control servers. EvilQuest acts like typical ransomware in that it encrypts documents, images and videos. It can also act as a keylogger in addition to attacking cryptocurrency wallets.
What Else can EvilQuest Do?
Another feature of EvilQuest is to display a text-to-speech prompt, which will read the ransom note aloud to the victim via macOS “voice” capabilities.
The ransomware is also capable of in-memory code execution, anti-analysis and persistence, according to malware researchers. Part of it’s anti-analysis measures include the functions “is_debugging” and “is_virtual_mchn.” These features can thwart debugging efforts and decipher whether it is being run inside a virtual machine to stifle any efforts from malware researchers that may be attempting to analyze it.
How to Survive a Malware Infection
There’s still no method to get rid of most malware after it has encrypted files without formatting the entire disk, so users should always have an updated backup of everything. The best way to avoid suffering the consequences of ransomware is to maintain a current set of backups and keep several backup copies of all important data.