# ThiefQuest ransomware is a file-stealing Mac wiper in disguise **[bleepingcomputer.com/news/security/evilquest-wiper-uses-ransomware-cover-to-steal-files-from-macs/](https://www.bleepingcomputer.com/news/security/evilquest-wiper-uses-ransomware-cover-to-steal-files-from-macs/)** Sergiu Gatlan By [Sergiu Gatlan](https://www.bleepingcomputer.com/author/sergiu-gatlan/) June 30, 2020 08:31 PM 5 A new data wiper and info-stealer called ThiefQuest is using ransomware as a decoy to steal files from macOS users. The victims get infected after downloading trojanized installers of popular apps from torrent trackers. While not common, ransomware has been known to target the macOS platform in the past, with [KeRanger,](https://www.bleepingcomputer.com/tag/keranger/) [FileCoder (aka](https://securelist.com/unfinished-ransomware-for-macos-x/66760/) [Findzip), and](https://blog.malwarebytes.com/cybercrime/2017/02/decrypting-after-a-findzip-ransomware-infection/) [Patcher being three other examples of](https://www.welivesecurity.com/2017/02/22/new-crypto-ransomware-hits-macos/) malware designed to encrypt Mac systems. ThiefQuest was first [spotted by K7 Lab malware researcher Dinesh Devadoss and analyzed](http://twitter.com/dineshdina04/status/1277668001538433025) by [Malwarebytes' Director of Mac & Mobile Thomas Reed,](https://blog.malwarebytes.com/mac/2020/06/new-mac-ransomware-spreading-through-piracy/) Jamf Principal Security [Researcher Patrick Wardle, and BleepingComputer's Lawrence Abrams, who found an](https://twitter.com/LawrenceAbrams) interesting twist. ## Installs a keylogger and opens a reverse shell ----- Devadoss discovered that ThiefQuest includes the capability to check if it's running in a virtual machine (more of a sandbox check according to Wardle), and it features anti-debug capabilities. It also checks for some common security tools (Little Snitch) and antimalware solutions (Kaspersky, Norton, Avast, DrWeb, Mcaffee, Bitdefender, and Bullguard) and opens a reverse shell used for communication with its command-and-control (C2) server as VMRay [technical lead Felix Seele found.](https://twitter.com/c1truz_/status/1277890179257303040) The malware will connect to http://andrewka6.pythonanywhere[.]com/ret.txt to get the IP address of the C2 server to download further files and send data. "Armed with these capabilities the attacker can maintain full control over an infected host," Wardle said. **Pirated app infected with ThiefQuest ransomware promoted on RUTracker** (Malwarebytes) ## Distributed as pirated apps on torrent sites As Reed found after examining the ransomware, ThiefQuest is dropped using infected installers wrapping legitimate software including but not limited to Little Snitch, Ableton, and Mixed in Key. Even though the malicious .PKG installers downloaded from popular torrent sites are code signed and look just as any legitimate installer would when launched, they are distributed as DMG files and don't have a custom icon, a warning sign that something is not quite right for many macOS users. Reed also found that, in the case of one of the ThiefQuest samples analyzed, the packages of compressed installer files include the pirated apps' original installers and uninstallers, together with a malicious patch binary and a post-install script used to launch the installer and launch the malware. ----- ThiefQuest also copies itself into ~/Library/AppQuest/com.apple.questd and creates a launch agent property list at ~/Library/LaunchAgents/com.apple.questd.plist with a _RunAtLoad key set to true to automatically get launched whenever the victim logs into the_ system. After gaining persistence on the infected device, ThiefQuest launches a configured copy of itself and starts encrypting files appending a BEBABEDD marker at the end. Unlike Windows ransomware, ThiefQuest has issues starting to encrypt files. When it does, it isn't picky. It seems to be locking files randomly, generating various issues on the compromised system from encrypting the login keychain to resetting the Dock to the default look, and causing Finder freezes. ----- Once file encryption is complete, it creates a text file named READ_ME_NOW.txt with the ransom instructions," Wardle added, and it will also display and read a modal prompt using macOS' text-to-speech feature letting the users know that their documents were encrypted. The victims are asked to pay a $50 ransom in bitcoins within three days (72 hours) to recover their encrypted files and are directed to read a ransom note saved on their desktops. **ThiefQuest encryption message** **ThiefQuest ransom note** Suspiciously, ThiefQuest is using the same [static Bitcoin address for all victims and does](https://www.blockchain.com/btc/address/13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7) not contain an email address to contact after payment has been made. This makes it impossible for the attackers to identify victims who paid the ransom, and for a victim to contact the ransomware operators for a decryptor. Combining a static Bitcoin address with a lack of contact methods is a strong indication that the ransomware is a wiper instead. Wipers, though, are usually used as a cover for some other malicious activity. ## Wiper malware used for data theft After the malware was analyzed by BleepingComputer's Lawrence Abrams, we believe that the ransomware is simply a decoy for the true purpose of this malware. That is to search for and steal certain file types from the infected computer. When the malware is executed on a Mac, it will execute shell commands that download Python dependencies, Python scripts disguised as GIF files, and then run them. ----- **Executed shell commands** Source: BleepingComputer The tasks conducted by the above command are: Delete the /Users/user1/client/exec.command and /Users/user1/client/click.js files. Download and install PIP Install the Python 'requests' dependency Download p.gif, which is a Python file, and execute it. Download pct.gif, which is another Python file, and execute it. The p.gif file is a [heavily obfuscated Python script, and we have not been able to determine](https://pastebin.com/S6CXCRBi) what its functionality is. **Heavily obfuscated Python script** Source: BleepingComputer Of particular interest in the above file is the comment: ----- ``` # n__ature checking PoC # TODO: PoCs are great but this thing will # deliver much better when implemented in # production ``` The pct.gif file is not obfuscated and is clearly a data exfiltration script that steals files under the /Users folder and sends it to a remote URL. **Data exfiltration script** Source: BleepingComputer When executed, this script will search for any files under the /Users folder that contain the following extensions ``` .pdf, .doc, .jpg, .txt, .pages, .pem, .cer, .crt, .php, .py, .h, .m, .hpp, .cpp, .cs, .pl, .p, .p3, .html, .webarchive, .zip, .xsl, .xslx, .docx, .ppt, .pptx, .keynote, .js, .sqlite3, .wallet, .dat ``` For any files that matches the search criteria, it will base64 encode the contents of the file and send it and the path of the file back to the threat actors Command & Control server. These files include text files, images, Word documents, SSL certificates, code-signing certificates, source code, projects, backups, spreadsheets, presentations, databases, and cryptocurrency wallets. To illustrate how this may look on the other end for the threat actor, BleepingComputer created a proof-of-concept script that accepted the requests from the above data-stealing script. ----- **PoC of receiving of stolen files** Source: BleepingComputer While our PoC only logs the contents of a file to our log file, it could have written each file to a folder matching the victim's IP address. One interesting feature of this script is that it will not transfer any files greater than 800KB in size. Advanced Intel's [Vitali Kremez, who BleepingComputer shared the script with, agreed with](https://twitter.com/VK_Intel) our findings and pointed out that many of the searched file types are generally over 800KB in size. ## What victims should do? As you can see, the ThiefQuest wiper is much more damaging than first thought, as not only will data be encrypted, but it may not even be decryptable if a victim pays. To make matters worse, the malware will steal files from your computer that contain sensitive information that could be used for a variety of malicious purposes, including identity theft, password harvesting, stealing of cryptocurrency, and stealing private security keys and certificates. If you were infected with this malware, you should assume any files that match the listed extensions have been stolen or compromised in some manner. While it is not known if a decryptor can be made, users can install Wardle's free RansomWhere utility, which detects ThiefQuest's attempts to gain persistence and allows them to terminate it once it starts locking their files. Reed also says that Malwarebytes for Mac is capable of detecting this new macOS ransomware as Ransom.OSX.ThiefQuest and will remove it from infected Macs. At the moment, researchers are still looking into what encryption ThiefQuest uses to encrypt its victims' files and if there are any weaknesses in the encryption. ----- **_Update July 02, 09:00 EDT: We updated the title and the article to reflect the malware s_** name change to ThiefQuest from EvilQuest (a name used by Chaosoft Games Xbox 360 and PC video game since 2012.) ### Related Articles: [Apple emergency update fixes zero-day used to hack Macs, Watches](https://www.bleepingcomputer.com/news/security/apple-emergency-update-fixes-zero-day-used-to-hack-macs-watches/) [These refurbished Macs for testing, relaxing, and experimenting](https://www.bleepingcomputer.com/offer/deals/these-refurbished-macs-for-testing-relaxing-and-experimenting/) [Apple emergency update fixes zero-days used to hack iPhones, Macs](https://www.bleepingcomputer.com/news/security/apple-emergency-update-fixes-zero-days-used-to-hack-iphones-macs/) [Industrial Spy data extortion market gets into the ransomware game](https://www.bleepingcomputer.com/news/security/industrial-spy-data-extortion-market-gets-into-the-ransomware-game/) [Adware Maker Tries to Intimidate Security Firm with Cease and Desist Letters](https://www.bleepingcomputer.com/news/security/adware-maker-tries-to-intimidate-security-firm-with-cease-and-desist-letters/) ## IOCs ### Network traffic: ``` http://andrewka6.pythonanywhere.com/ret.txt http://167.71.237.219 Ransom note text: ``` ----- ``` YOUR IMPORTANT FILES ARE ENCRYPTED Many of your documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your file without our decryption service. We use 256-bit AES algorithm so it will take you more than a billion years to break this encryption without knowing the key (you can read Wikipedia about AES if you don't believe this statement). Anyways, we guarantee that you can recover your files safely and easily. This will require us to use some processing power, electricity and storage on our side, so there's a fixed processing fee of 50 USD. This is a one-time payment, no additional fees included. In order to accept this offer, you have to deposit payment within 72 hours (3 days) after receiving this message, otherwise this offer will expire and you will lose your files forever. Payment has to be deposited in Bitcoin based on Bitcoin/USD exchange rate at the moment of payment. The address you have to make payment is: 13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7 Decryption will start automatically within 2 hours after the payment has been processed and will take from 2 to 5 hours depending on the processing power of your computer. After that all of your files will be restored. THIS OFFER IS VALID FOR 72 HOURS AFTER RECEIVING THIS MESSAGE ``` [Apple](https://www.bleepingcomputer.com/tag/apple/) [Data Exfiltration](https://www.bleepingcomputer.com/tag/data-exfiltration/) [Mac](https://www.bleepingcomputer.com/tag/mac/) [macOS](https://www.bleepingcomputer.com/tag/macos/) [Piracy](https://www.bleepingcomputer.com/tag/piracy/) [Ransomware](https://www.bleepingcomputer.com/tag/ransomware/) [ThiefQuest](https://www.bleepingcomputer.com/tag/thiefquest/) [Wiper](https://www.bleepingcomputer.com/tag/wiper/) [Sergiu Gatlan](https://www.bleepingcomputer.com/author/sergiu-gatlan/) Sergiu Gatlan is a reporter who covered cybersecurity, technology, Apple, Google, and a few other topics at Softpedia for more than a decade. Email or Twitter DMs for tips. [Previous Article](https://www.bleepingcomputer.com/news/security/microsoft-releases-urgent-security-updates-for-windows-10-codecs-bugs/) [Next Article](https://www.bleepingcomputer.com/news/microsoft/microsoft-lifts-windows-10-2004-update-block-on-surface-devices/) ### Comments ----- [Some-Other-Guy - 1 year ago](https://www.bleepingcomputer.com/forums/u/1150694/some-other-guy/) The fix for wipers and ransomware is obvious The U.S. Federal Communications Commission (FCC) should formally designate Apple and Microsoft Operating Systems as national security threats to the integrity of U.S. communications networks or the communications supply chain. Easy Peasy LoL We can ask nicely for physical write protect switches on our drives and SSD's for another 40 years to protect our backups from malware but we ain't getting them are we? My backups are on write protected Blu-Ray Optical Discs! Where's yours? [vuksha_xc60 - 1 year ago](https://www.bleepingcomputer.com/forums/u/1167356/vuksha-xc60/) Maybe it's better to use SD cards for that purpose instead of Blueray discs. ----- [Some-Other-Guy - 1 year ago](https://www.bleepingcomputer.com/forums/u/1150694/some-other-guy/) Definitely not! SD cards are normally rated to retain your data for 12-18 months Blu-Ray retains data for several years (over 1000 years for M-Disc) SD cards cost much more than Blu-Ray discs SD write protection can be defeated easily Blu-Ray protection cannot and lets not forget labelling.... Ever try finding the right backup on hundreds of SD cards? It is much easier to read the contents of a properly labelled optical disc DyingCrow Photo [DyingCrow - 1 year ago](https://www.bleepingcomputer.com/forums/u/1030683/dyingcrow/) As we're talking about personal backups, you can create a single container backup using 7zip or something, dump all the stuff in there and manually change the extension to something ransomware ignores and is not conspicuous. If that container is big enough, there's a good chance it will be unattractive for encryption or exfiltration. For example, some custom game archive extensions can be pretty big in size, so use one of those, why not? Heck, you can even use a ransomware extension! lul ----- [R-K - 1 year ago](https://www.bleepingcomputer.com/forums/u/1137491/r-k/) Ransomware cyber-terrorists must be put to death sentences. Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----