{
	"id": "06de7151-b931-4c21-a497-7eef0eec2aa0",
	"created_at": "2026-04-06T00:19:21.433336Z",
	"updated_at": "2026-04-10T03:31:13.853459Z",
	"deleted_at": null,
	"sha1_hash": "f23d7a9eb679f78642ac347e261da3d0df967182",
	"title": "Updates on Quickly-Evolving ThiefQuest macOS Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5122470,
	"plain_text": "Updates on Quickly-Evolving ThiefQuest macOS Malware\r\nBy Gabrielle Joyce Mabutas, Luis Magisa, Steven Du ( words)\r\nPublished: 2020-07-17 · Archived: 2026-04-05 22:04:00 UTC\r\nRight as July of this year began, we noticed an emerging malware dubbed by most as ThiefQuest (also known as EvilQuest),\r\na threat that targets macOS devices, encrypts files, and installs keyloggers in affected systems.  It has been found in pirated\r\nversions of macOS shared on popular torrent sites. Developments on the malware have been reported\r\nby MalwareBytes, BleepingComputernews article and security researchers Dinesh Devadoss, Phil Stokes, Patrick Wardle,\r\nand Thomas Reed.\r\nThe aforementioned reports state the assumption that the malware’s ransomware activity is not its main attack method;\r\nrather, it is a pre-emptive move to disguise its other capabilities such as file exfiltration, Command and Control (C\u0026C)\r\ncommunication, and keylogging. This assumption is also supported by our recent discoveries.\r\nGiven that both the previously mentioned researchers and the updated report from Objective-See have conducted an in-depth\r\nlook into the malware, in this blog post we will discuss our own discoveries such as the differences between the old and new\r\nversions of the malware, including unusual observations in VirusTotal. More importantly, we’d like to add to the current\r\ninformation provided by published reports that prove our belief that ThiefQuest is an example of highly capable malware\r\nthat should be kept under close monitoring.\r\nNew ThiefQuest variants\r\nNew functions\r\nBesides the old ThiefQuest variant that has been reported by various researchers, we also discovered some improved\r\nvariants with stronger capabilities and other changes compared with earlier iterations of the malware. For instance, these\r\nnew variants seem to emerge only days after the detection of older variants. Notably, previously encountered ransomware\r\nbehavior, such as file encryption and ransom note dropping, have been removed.\r\nThese new updates are not called by the main code of the malware, and through further investigation, we discovered that the\r\nauthors have implemented a new routine for computing and calling the new functions’ addresses. Other versions of these\r\nnew variants have even obfuscated the function names to make malware tracing more difficult.\r\nThe following are the new functions, some of which will be discussed:\r\n_react_updatesettings\r\nattach_payload\r\ncompress_bundle\r\ncompress_bundle\r\ndecompress_bundle\r\ndecompress_bundle\r\nei_fcnc_pack_challenge\r\nei_fcnc_unpack_challenge\r\nei_getip\r\nei_ptas\r\nei_rfind_cnc\r\neisl_add_function\r\neisl_apply_function\r\neisl_debugging_um\r\neisl_get_function\r\neisl_lazysleep\r\neisl_ndebugging\r\neisl_noop\r\neisl_ntrace\r\neisl_ntrace_sc\r\neisl_ntrack_chk\r\neisl_xtrace\r\nhttps://www.trendmicro.com/en_us/research/20/g/updates-on-quickly-evolving-thiefquest-macos-malware.html\r\nPage 1 of 22\n\neisl_zzufff_init\r\nextract_payload\r\nfb_uniconf_* (other related functions)\r\nfb_uniconf_get_entry\r\nfb_uniconf_init\r\nfb_uniconf_load\r\nfb_uniconf_save\r\nfb_uniconf_set_entry\r\nrun_audio\r\nrun_image\r\nrun_payload\r\nPayload reading and attaching\r\nFigure 2. Code snippet showing payload reading and attachment\r\nThe extract_payload() function loads the embedded (and encoded) payload data from the specified file, where the offset and\r\nlength of its data are saved at the end of the file. After reading the data, it calls eib_secure_decode to decode the payload\r\ndata.\r\nThe attach_payload() function is the opposite to extract_payload(). It reads payload data from a specified source file,\r\nencodes them, and saves the encoded data to a specified target file.\r\nBundle compression and decompression\r\nhttps://www.trendmicro.com/en_us/research/20/g/updates-on-quickly-evolving-thiefquest-macos-malware.html\r\nPage 2 of 22\n\nFigure 3. Code snippet showing bundle compression and decompression\r\nThe compress_bundle() function encodes the contents of each file in a bundle and saves them to a specified file. On the\r\nother hand, the decompress_bundle() function is the opposite of compresss_bundle(). It loads and decodes bundle files from\r\na specified file.\r\nC\u0026C IP generation\r\nFigure 4. Code snippet showing C\u0026C and IP generation\r\nThe ei_rfind_cnc() function uses the current time as a seed for random number initialization in a 1000-counter loop. It calls\r\nei_getip() to generate an IP address with the generated random number and tries to connect to it via http_request(). If it can\r\nbe reached, it will then be used as the C\u0026C server address.\r\nImproved anti-analysis techniques\r\nhttps://www.trendmicro.com/en_us/research/20/g/updates-on-quickly-evolving-thiefquest-macos-malware.html\r\nPage 3 of 22\n\nIn the function is_virtual_mchn(), condition checks including getting the MAC address, CPU count, and physical memory of\r\nthe machine, have been increased.\r\nFigure 5. Code snippet showing condition checks\r\nFigure 6. Code snippet showing analysis checks\r\nIn its string decryption function eip_str(), anti-analysis checks have also been added. One of these checks is\r\neisl_debugging_um(), a new function that calls task_get_exception_ports() to check if the current process is being\r\ndebugged. However, it seems that it does not fully work yet since the functions always return 0.\r\nhttps://www.trendmicro.com/en_us/research/20/g/updates-on-quickly-evolving-thiefquest-macos-malware.html\r\nPage 4 of 22\n\nFigure 7. Code snippet showing the checking of debugging for the current process\r\nWe also found several new functions that are used for anti-analysis; however, a few of these functions are still empty. We\r\nsuspect that these will be populated soon:\r\neisl_xtrace\r\neisl_ntrace\r\neisl_ntrace_sc\r\neisl_ntrace_chk\r\nC\u0026C update\r\nThe function _react_updatesettings() has been added as well. This is used for getting updated settings from the C\u0026C server.\r\nAbility to run image and sound files\r\nMeanwhile, run_audio and run_image are new functions that are meant to save a target file into a hidden .m4a sound file or\r\n.jpg image file respectively. These functions would then be run through a hidden opened terminal. The malware simply calls\r\n“open.filename.m4a” or “open.filename.jpg” to play it with default applications associated with either, such as Music.app or\r\nPreview.app.\r\nWith these two functions, threat actors behind ThiefQuest may be preparing for new features of the malware. Possibly, the\r\ngroup is planning for ThiefQuest to have a similar concept to the previous version that uses text-to-speech to read its\r\ndropped ransom note.\r\nThe next image shows the disassembly of the run_audio function. It displays the filename that the target will be saved as and\r\nthe encrypted strings (decrypted as an AppleScript command for launching a hidden terminal) for running them.\r\nhttps://www.trendmicro.com/en_us/research/20/g/updates-on-quickly-evolving-thiefquest-macos-malware.html\r\nPage 5 of 22\n\nFigure 8. Code snippet showing the disassembly of run_audio function\r\nMore security tools terminated\r\nAside from the tweet by user @Myrtus0x0, which states that ObjectiveSee’s KnockKnock solution has been added to the list\r\nof security tools running in the system to check and terminate, we also discovered that a few other security vendors have\r\nmade it to this updated list:\r\nAvast\r\nBitdefender\r\nBullguard\r\nDrWeb\r\nKaspersky\r\nKnockKnock\r\nLittle Snitch\r\nMcAfee\r\nNorton\r\nReiKey\r\nFigure 9. List and memory dump showing what security tools are terminated\r\nhttps://www.trendmicro.com/en_us/research/20/g/updates-on-quickly-evolving-thiefquest-macos-malware.html\r\nPage 6 of 22\n\nFigure 10. Strings of security tools in their encrypted and decrypted form\r\nChanges in file name and server\r\nThe dropped file name, persistence item PLIST file name, and connected server’s subdomain name of both previous and\r\nnew variants have also been changed.\r\nFile name and server changes observed\r\nItem Previous variant New Variants\r\nPrimary\r\nExecutable\r\nfile path\r\n/Library/AppQuest/com.apple.questd /Library/PrivateSync/com.apple.abtpd\r\nPersistent\r\nitem plist\r\nfile path\r\n/Library/LaunchDaemons/com.apple.questd.plist /Library/LaunchDaemons/com.apple.abtpd.plist\r\nServer\r\nURL\r\nhxxp://andrewka6[.]pythonanywhere[.]com/ret.txt hxxp://lemareste[.]pythonanywhere[.]com/cfgr.txt\r\nAnalyzing samples from VirusTotal\r\nData from VirusTotal submissions for the first versions of the malware shows that ThiefQuest had already been lurking since\r\nearly to mid-June. These older samples don’t exhibit as many features as newer ones; additionally, we did notice some\r\ngradual changes in them that demonstrate the malware author’s efforts to continuously improve ThiefQuest.\r\nOne notable characteristic of the early versions is their lack of ransomware capability. In fact, ThiefQuest was initially a\r\nbackdoor with the capability to modify the victim’s hosts file(/private/etc/hosts). In one of these earlier samples, such as\r\neffeeeadfdc3caf523635fcb86581a807f719fa5e322872854499, we observed it adding entries for certain domains to redirect\r\nto the C\u0026C server. The following are some entries for hosts file modification:\r\nC\u0026C Server Domains\r\n167[.]71[.]237[.]219 localbitcoins[.]com\r\n167[.]71[.]237[.]219 poloniex[.]com\r\n167[.]71[.]237[.]219 digitalocean[.]com\r\n167[.]71[.]237[.]219 cloud[.]digitalocean[.]com\r\n167[.]71[.]237[.]219 hetzner[.]com\r\nThe file path of the submission to VirusTotal contains /Users/user1 and country code RU (referring to Russia). Another\r\nsubmission name, with the country code BG (referring to Bulgaria), also contains the notable com.apple.questd.\r\nhttps://www.trendmicro.com/en_us/research/20/g/updates-on-quickly-evolving-thiefquest-macos-malware.html\r\nPage 7 of 22\n\nFigure 11. First screenshot of VirusTotal submissions on an early version of the malware\r\nFig 12. Second screenshot of VirusTotal submissions on an early version of the malware\r\nThe first ransomware version\r\nIn the beginning, we identified an older variant that wasn’t as comprehensive as the samples analyzed by other reports. This\r\nvariant had no viral infector routines, and certain C\u0026C tasks had no functioning code yet. However, it did demonstrate\r\nransomware behavior.\r\nFigure 13. Code snippet showing infector variants containing the ei_loader_main() function in the main code\r\nthat is responsible for infecting files in the victim machines.\r\nhttps://www.trendmicro.com/en_us/research/20/g/updates-on-quickly-evolving-thiefquest-macos-malware.html\r\nPage 8 of 22\n\nFigure 14. Code snippet showing the first ransomware variant in the main code that does not contain the\r\ninfector function call.\r\nFigure 15. Code snippet showing the first ransomware variant with the C\u0026C task _react_keys() returning a\r\nnull value.\r\nObservations from infected samples\r\nGiven the viral infector routine of later samples, we checked VirusTotal Intelligence using the similar-to condition and\r\nfound the results of many samples.\r\nFrom June 29 to July 3, there were more than 30,000 similar new samples submitted to VirusTotal. Most of them come from\r\nthe same API submission with country code ZZ, which means that the country where the submission originated from is\r\nunknown.\r\nFigure 16. Screenshot of a VirusTotal submission on a newer version of the malware\r\nThe folder /Users/user1 is the same one used in older samples, which indicates that these samples are from the same\r\nmachine where the older samples came from. In an estimated five-minute period, the same file path\r\n“/Users/user1/Library/Google/GoogleSoftwareUpdate/GoogleSoftware.bundle/Contents/Helpers/crashpad_handler” was\r\nsubmitted two times and file size increased from 16.27MB to 32.09MB. On our testing machine, the size of the file is\r\nonly 499,264 bytes, or less than 500KB.\r\nhttps://www.trendmicro.com/en_us/research/20/g/updates-on-quickly-evolving-thiefquest-macos-malware.html\r\nPage 9 of 22\n\nFigure 17. Screenshot of other VirusTotal submissions on a newer version of the malware\r\nAfter analyzing the sample with 32.09 MB file size, here are some findings:\r\na) When searched, the unique string “/toidievitceffe/libpersist/rennur.c” appears for 366 times. This means that the\r\nfile is infected repeatedly by the sample for at least 366 times.\r\nb) Dumping the last Mach-O file at the end of the file resulted in confirming that the file is the crashpad_handler.exe.\r\nThis is the same file that exists in our clean machine.\r\nc) There were some incomplete copies of the sample in the file, which might have been caused by improper handling\r\nof multiple infection instances that were being run at the same time or other potential issues.\r\nd) The malware allows multiple instances of malicious code to be run at the same time in one system.\r\ne) Infected samples can reinfect themselves.\r\nf) Although it avoids infecting Mach-O files that are inside app bundles, the malware still infects files in\r\n~/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/, which is similar to an app bundle folder.\r\nGenerally, these processes are not usually included by experienced malware authors when they produce a file infector\r\nmalware.\r\nGenerations of ThiefQuest\r\nWe recorded the preceding changes based on the infector samples we sourced. The following is the outline of the malware’s\r\nevolution:\r\nGeneration Notable Behavior\r\nDate\r\nFirst\r\nSeen\r\nSHA256\r\n1\r\nBackdoor capability was first implemented here\r\nModified hosts\r\nhxxp://andrewka6[.]pythonanywhere[.]com/ret[.]txt\r\nand 167[.]71[.]237[.]219 were both blocked and\r\ncategorized as C\u0026C server\r\n4-\r\nJun-20365a5c72f52de964b8dc134d2fc45f9c73ba045cebd9fd397b1e2\r\n19-\r\nJun-20effeeeadfdc3caf523635fcb86581a807f719fa5e322872854499f5\r\n2\r\nRansomware capability first implemented\r\nFile name is /Library/LiveSupport/CrashReporter\r\n2-\r\nJul-20eeac57f7ca9df9199f0346ed9097e9f5482c06214cddc162d1500\r\n3\r\nFile infector capability first implemented\r\nFile exfiltration implemented\r\nRansomware capability existed\r\n26-\r\nJun\r\n20\r\n5a024ffabefa6082031dccdb1e74a7fec9f60f257cd0b1ab0f698ba\r\nhttps://www.trendmicro.com/en_us/research/20/g/updates-on-quickly-evolving-thiefquest-macos-malware.html\r\nPage 10 of 22\n\n4\r\nFile infector capability existed\r\nRansomware capability removed\r\nhxxp://lemareste[.]pythonanywhere[.]com/cfgr[.]txt\r\nwas blocked and categorized as C\u0026C server\r\n3-\r\nJul-20\r\nf7efda39c80d68db168316732732d04a00fe6fb10f37d1013df1a\r\nd18daea336889f5d7c8bd16a4d6358ddb315766fa21751db7d41\r\n4-\r\nJul-20851dfdbffd250523c5c7ff07b29778a04ebd44400b12f23d18a6ee\r\n5-\r\nJul-20\r\n06974e23a3bf303f75c754156f36f57b960f0df79a38407dfdef9a\r\n7292004b57562223fed4ee122a956a8db38349c95d4dd8853b1e\r\n6-\r\nJul-20\r\nc5a77de3f55cacc3dc412e2325637ca7a2c36b1f4d75324be8833\r\ne69e9dc0d343165aa0f5df942d1b48ddd0337c8a79dcdf40f3c3b\r\n41036e1b78a122e57f2125526d673ffe3358d7323fc5777036627\r\n9-\r\nJul-2092ad2b0220f6903fb5fa48ce411af44a60c06031fee3aa682bd28f\r\n11-\r\nJul-20bcdb0ca7c51e9de4cf6c5c346fd28a4ed28e692319177c8a94c86\r\nPython downloads\r\nThe malware also downloads certain files, such as Python dependencies and two particular files, p.gif and pct.gif.\r\nBleepingComputer has uploaded the raw text of p.gif, revealing how heavily-obfuscated it is.\r\nFigure 18. Code snippet of p.gif\r\nBased on this, we assume that the malware authors used nested Lambda function abused from a tool to make the script\r\ndifficult to read. In researching further on the structure of this nested Lambda obfuscation style, we came across a tool\r\ndeveloped by Chelsea Voss and a team that converts any Python2 script into a single line via Lambda functions.\r\nThe authors used python string obfuscation for the strings. For example, line 3 has the string “‘r%squ%ssts”, while line 28\r\nused the pattern  “’r%squ%ssts” %(‘e’,’e’)” . By manually deobfuscating this, the real string is revealed to be “requests”.\r\nAnother similar string at line 10 reads as “’__b%s%slt%s%ss__’ % (‘u’, ‘i’, ‘i’, ‘n’)”, which is then revealed as\r\n“__builtins__”\r\nUsing this logic, we also deobfuscated the file on our end, confirming that p.gif is only for installing dependencies.\r\nFigure 19. Code snippet showing requests\r\nhttps://www.trendmicro.com/en_us/research/20/g/updates-on-quickly-evolving-thiefquest-macos-malware.html\r\nPage 11 of 22\n\nWhile Bleeping Computer obtained an earlier version of pct.gif, during our investigation we observed that the malware\r\nauthor updated pct.gif to exhibit the same nested Lambda obfuscation as well.\r\nFigure 20. Screenshot of the pct.gif obtained from our recent sourcing\r\nA more recent version of pct.gif that we uncovered also reveals that a string decryption routine is in place due to the\r\npresence of unreadable, encrypted strings. We will update this space once the code has been deciphered.\r\nFigure 21. Screenshot of the more recent version of pct.gif obtained from our recent sourcing\r\nAdditional input for the core features\r\nWhile much of our investigation of the core components for this malware (especially for its older versions) matches the\r\nfindings of Objective-See’s Patrick Wardle, we would like to highlight additional information that may prove useful for\r\nthose who might want a deep dive into the workings of ThiefQuest.\r\nFile Encryption\r\nWe would like to point out that the malware’s encryption logic branches depending on the size of the target file.\r\nIn the core encryption function carve_target(), there are calls to three different branches:\r\nThe first branch targets files with sizes of less than 2MB.\r\nThe second branch targets files with sizes between 2MB and 30MB.\r\nThe third branch targets files with sizes greater than 32MB.\r\nWhile all the parameters for the three callings are the same, there are certain differences in the second and third branches.\r\nFor example, the malware limits the number of files to encrypt to 3,000, and if by the second branch it already encrypts\r\n3,000 files, the third branch will then be skipped.\r\nWhat we find odd in its logic, however, is that if the second branch already encrypts 2,900 samples, the counter for the third\r\nbranch still starts from 0.\r\nhttps://www.trendmicro.com/en_us/research/20/g/updates-on-quickly-evolving-thiefquest-macos-malware.html\r\nPage 12 of 22\n\nFigure 22. Code snippet for the file encryption process\r\nMach-O File Infection\r\nThe function append_ei() is where the routine performs the actual infection. It also adds the original/host file size and magic\r\nnumber at end of infected file as seen in the following figure:\r\nFigure 23. Code snippet of append_ei()\r\nThe function pack_trailer(), on the other hand, is used to prepare the trailer data such as the file size of the host file for the\r\ninfection.\r\nhttps://www.trendmicro.com/en_us/research/20/g/updates-on-quickly-evolving-thiefquest-macos-malware.html\r\nPage 13 of 22\n\nFigure 24. Code snippet of pack_trailer()\r\nFigure 25. Comparison of the original file(left) and infected file (right)\r\nComparing the original file and infected file in Figure 20 shows the data added. The original malware sample is appended on\r\ntop of the infected Mach-O file.\r\nThe malware was found to exhibit a few differences in behavior depending on whether it is the original malicious sample or\r\nan infected file. The following differences have been observed between these two types of samples:\r\nSome anti-analysis check procedures were not executed on infected samples (__is_debugging, _prevent_trace,_\r\nkill_unwanted).\r\nThe routine in infected samples that drop the original/host code as a hidden file might deceive the user into thinking\r\nthat the infected executed file was not affected while the malware performs malicious routines in the background.\r\nWhen an infected sample is executed, the dropped file .\u003cfilename\u003e1 is not removed after the execution.\r\nObservable in the following code snippets is the disassembly that shows the following processes: calling the unpack_trailer,\r\nextracting it from the same directory with ‘1’ suffix, and saving it as a hidden file. It also shows the infected sample and the\r\nhidden dropped file (assumed normal file).\r\nFigures 26-28. Code snippets showing the calling of unpack_trailer\r\nhttps://www.trendmicro.com/en_us/research/20/g/updates-on-quickly-evolving-thiefquest-macos-malware.html\r\nPage 14 of 22\n\nFigure 29. Code snippet showing the infected sample and the hidden dropped file (assumed normal file)\r\nPersistence\r\nThe main() function of the binary first installs an autorun/persistence mechanism using the functions\r\npersist_executable_frombundle(), ei_persistence_main, and install_daemon() to ensure that the malware is running on\r\nstartup.\r\nFigure 30. Decompiled code from the main() function showing several encrypted strings used for persistence\r\nFigure 31. Decompiled code in ei_persistence_main() to install persistence\r\nRunning through this part of the code reveals that the malware installs a launch agent (~Library/LaunchAgents) and\r\nlaunches daemon (Library/LaunchDaemons) as com.apple.questd.plist; this targets another copy of the malware binary\r\n~/Library/AppQuest/com.apple.questd, if certain conditions are met.\r\nFigure 32. Content of the installed LaunchAgent with its target com.apple.questd. The symbol ~ indicates the\r\ncurrent logged in user folder of the machine.\r\nFile exfiltration\r\nThe function lfsc_dirlist() is called by the main exfiltration function ei_forensic_thread() where it concatenates all files\r\nunder the /Users folder into one long string. A check for this string’s length is first performed. If the string is longer than\r\n10,240 characters, it separates the string into 10,240 character-sized blocks which are sent one by one to the server.\r\nhttps://www.trendmicro.com/en_us/research/20/g/updates-on-quickly-evolving-thiefquest-macos-malware.html\r\nPage 15 of 22\n\nAfter sending, it sleeps for 10 seconds to prevent making the network load too high. This 10-second sleep routine is also\r\nobserved each time the malware sends exfiltrated data to the server.\r\nFigure 33. Code snippet showing lfsc_dirlist()\r\nC\u0026C communication routines\r\nAs reports about the malware only mention the presence and a few features of the C\u0026C server, we would like to share more\r\ninformation on this, especially on these functions:\r\n_react_exec\r\n_react_start\r\n_react_save\r\n_react_keys\r\n_react_ping\r\n_react_host\r\n_react_scmd\r\nFigure 34. Code snippet showing C\u0026C functions\r\n_react_exec()\r\nOne of the functions of the C\u0026C server is the _react_exec(). When the malware receives the _react_exec command from the\r\nattacker, it will attempt to decode the data and load or run this from the memory.\r\nhttps://www.trendmicro.com/en_us/research/20/g/updates-on-quickly-evolving-thiefquest-macos-malware.html\r\nPage 16 of 22\n\nFigure 35. Code snippet showing _react_exec command\r\nWhen unsuccessful, it will write the file into a .xookc  hidden file and run it with elevated privileges through AppleScript.\r\nFigure 36. Writing the file into a .xookc hidden file\r\nhttps://www.trendmicro.com/en_us/research/20/g/updates-on-quickly-evolving-thiefquest-macos-malware.html\r\nPage 17 of 22\n\nFigure 37. Running the file with elevated privileges through AppleScript\r\n_react_save()\r\nFor the _react_save command, the sample decodes the data received from the server into a file, through the function\r\neib_decode(). This file will be saved as the filename that is also included in the encoded data received from the server.\r\nFigure 38. Disassembly of the _react_save() function calling the eib_decode() function\r\nInside eib_decode() is the final function called eib_unpack_i, which is used for setting the decoded file onto the memory,\r\nthen for saving as a file.\r\nFigure 39. Code snippet of eib_unpack_i function\r\n_react_ping()\r\n_react_ping is a command used to decrypt a string received from the server. Once successfully decrypted, the sample sends a\r\nmessage to the server, possibly indicating that it is working and ready to receive more commands from the server.\r\nhttps://www.trendmicro.com/en_us/research/20/g/updates-on-quickly-evolving-thiefquest-macos-malware.html\r\nPage 18 of 22\n\nFigure 40. Disassembly of _react_ping() showing the encrypted string “Hi there” used for checking.\r\n_react_keys()\r\nThe binary waits for a response from the C\u0026C server. Depending on the command received, it can initiate a keylogger\r\nthrough _react_keys().\r\nFirst, it collects user information, such as the user ID of the ransomware binary called and environment path of the HOME\r\nvariable, and then creates a thread for eilf_rglk_watch_routine() that contains the keylogger function.\r\nFigure 41. Code snippet showing _react_keys()\r\nIn this thread, the routine uses the CGEventTapCreate() function to log and print keystrokes, where one of its parameters,\r\nprocess_event(), is the callback function for converting keystroke into strings to print.\r\nFigure 42. Code snippet showing CGEventTapCreate()\r\nThe kconvert() function formats keystroke into strings. All possible button presses are found, including volume\r\nup/down/mute and function keys. However, the logged keystrokes are only printed through the console.\r\nhttps://www.trendmicro.com/en_us/research/20/g/updates-on-quickly-evolving-thiefquest-macos-malware.html\r\nPage 19 of 22\n\nFigures 43-45. Code snippets showing kconvert()\r\nGiven the questionable keylogger printing and the null functions, we believe that the malware still lacks capabilities for\r\nC\u0026C-related tasks. Perhaps the malware author will improve this part, as well as its file encryption and infection routines in\r\nlater variants.\r\nMITRE ATT\u0026CK Techniques\r\nBased on the information we obtained from investigating both the previous and newer versions, here is the malware’s\r\ncoverage using MITRE’s Tools, Techniques, and Procedures (TTPs). Entries in orange indicate observed and implemented\r\nbehavior, while entries in yellow indicate identified, but not fully implemented, code for behavior.\r\nhttps://www.trendmicro.com/en_us/research/20/g/updates-on-quickly-evolving-thiefquest-macos-malware.html\r\nPage 20 of 22\n\nFigures 46-47. Screenshot of TTP Matrix using the updated MITRE ATT\u0026CK Navigator\r\nConclusion\r\nAs some variants of ThiefQuest exhibit ransomware capabilities, it is interesting to note that compared with some\r\nplatforms, fewer ransomware detections are found to affect macOS. The emergence of ThiefQuest might mean that\r\ncybercriminals are finding more ways to target macOS with such attacks, or there is a higher interest in targeting the OS in\r\ngeneral – or perhaps even both.\r\nThere is a misconception that Mac software is secure from malware; however, cybercriminals seek to target software that is\r\nused by a large number of people, and macOS is not exempt from such a basis of consideration. For example, besides\r\nransomware, there have been other types of attacks against macOS. Last year, the most detected of these was Shlayer, a\r\ntrojan that spreads adware and unwanted applications.\r\nNewer variants of ThiefQuest with more capabilities are released within days. Having observed this, we can assume that the\r\nthreat actors behind the malware still have many plans to improve it. Potentially, they could be preparing to make it an even\r\nmore vicious threat. In any case, it is certain that these threat actors act fast, whatever their plans. Security researchers\r\nshould be reminded of this and strive to keep up with the malware’s progress by continuously detecting and blocking\r\nwhatever ThiefQuest variants cybercriminals come up with.\r\nRecommendations\r\nThe threat actors discussed here constantly and quickly update this malware; therefore, security teams and users alike should\r\nremain vigilant for any curveballs that this malware could throw at them. To do so, the following actions are recommended:\r\nOnly download applications from trusted sources such as official application stores or download centers.\r\nIn emails, never download attachments or click links from untrusted sources.\r\nPatch and update software to ensure that vulnerabilities are protected.\r\nThe following solutions are also recommended to detect and block threats before they can infiltrate the system:\r\nTrend Micro™ XDRproducts– gathers and correlates data across multiple vectors – such as email, endpoints, servers,\r\ncloud workloads, and networks – to better analyze and detect threats.\r\nTrend Micro Apex One™products – employs advanced endpoint detection and response (EDR) to provide actionable\r\ninsights, expanded investigative capabilities, and centralized visibility across the network.\r\nIndicators of compromise\r\nSHA256 Trend Micro pattern detection\r\neffeeeadfdc3caf523635fcb86581a807f719fa5e322872854499f5270bc0eba Backdoor.MacOS.THIEFQUEST.A\r\n365a5c72f52de964b8dc134d2fc45f9c73ba045cebd9fd397b1e26fdb11bfec6 Backdoor.MacOS.THIEFQUEST.A\r\nhttps://www.trendmicro.com/en_us/research/20/g/updates-on-quickly-evolving-thiefquest-macos-malware.html\r\nPage 21 of 22\n\neeac57f7ca9df9199f0346ed9097e9f5482c06214cddc162d1500d15d045b4ed Ransom.MacOS.THIEFQUEST.A\r\n5a024ffabefa6082031dccdb1e74a7fec9f60f257cd0b1ab0f698ba2a5baca6b Virus.MacOS.THIEFQUEST.A-O\r\nc5a77de3f55cacc3dc412e2325637ca7a2c36b1f4d75324be8833465fd1383d3 Virus.MacOS.THIEFQUEST.B-O\r\nd18daea336889f5d7c8bd16a4d6358ddb315766fa21751db7d41f0839081aee2 Virus.MacOS.THIEFQUEST.B-O\r\ne69e9dc0d343165aa0f5df942d1b48ddd0337c8a79dcdf40f3c3b490d6e96a78 Virus.MacOS.THIEFQUEST.B-O\r\nf7efda39c80d68db168316732732d04a00fe6fb10f37d1013df1a8a4cde1f68a Virus.MacOS.THIEFQUEST.B-O\r\n851dfdbffd250523c5c7ff07b29778a04ebd44400b12f23d18a6ee5a3fcfbedc Virus.MacOS.THIEFQUEST.B-O\r\n06974e23a3bf303f75c754156f36f57b960f0df79a38407dfdef9a1c55bf8bff Virus.MacOS.THIEFQUEST.B-O\r\n41036e1b78a122e57f2125526d673ffe3358d7323fc577703662740b3e651dcc Virus.MacOS.THIEFQUEST.B-O\r\n7292004b57562223fed4ee122a956a8db38349c95d4dd8853b1ebc60ef7508b1 Virus.MacOS.THIEFQUEST.B-O\r\n92ad2b0220f6903fb5fa48ce411af44a60c06031fee3aa682bd28f3f3fde1eda Virus.MacOS.THIEFQUEST.B-O\r\nbcdb0ca7c51e9de4cf6c5c346fd28a4ed28e692319177c8a94c86dc676ee8e48 Virus.MacOS.THIEFQUEST.B-O\r\nNetwork artifacts  WRS action\r\nhxxp://andrewka6[.]pythonanywhere[.]com/ret[.]txt\r\n167[.]71[.]237[.]219 Blocked and categorized as C\u0026C server\r\nhxxp://lemareste[.]pythonanywhere[.]com/cfgr[.]txt\r\nSource: https://www.trendmicro.com/en_us/research/20/g/updates-on-quickly-evolving-thiefquest-macos-malware.html\r\nhttps://www.trendmicro.com/en_us/research/20/g/updates-on-quickly-evolving-thiefquest-macos-malware.html\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/20/g/updates-on-quickly-evolving-thiefquest-macos-malware.html"
	],
	"report_names": [
		"updates-on-quickly-evolving-thiefquest-macos-malware.html"
	],
	"threat_actors": [
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434761,
	"ts_updated_at": 1775791873,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f23d7a9eb679f78642ac347e261da3d0df967182.pdf",
		"text": "https://archive.orkl.eu/f23d7a9eb679f78642ac347e261da3d0df967182.txt",
		"img": "https://archive.orkl.eu/f23d7a9eb679f78642ac347e261da3d0df967182.jpg"
	}
}