Virus Type: Ransomware
It has been reported that a new MacOS ransomware, named "ThiefQuest
ransomware" or "EvilQuest ransomware" is spreading since June 2020. This
ransomware not only encrypts the files on the system but also installs a
keylogger, remote shell and steals cryptocurrency wallet-related files from
infected hosts. Even after ransom has been paid by the victim, the attacker
continue to have access to the computer and can exfiltrate files and
keystrokes. So, the attackers can carry on spying the victims.
Infection mechanism:
This ransomware is distributed via legitimate applications on torrent
websites such as Little Snitch, Ableton, and Mixed in Key. After launching
the installer, ThiefQuest starts encrypting files appending a BEBABEDD
marker at the end. Ransomware will encrypt any files with the following
file extensions of size less than 800 KB: .pdf, .doc, .jpg, .txt, .pages,
.pem, .cer, .crt, .php, .py, .h, .m, .hpp, .cpp, .cs, .pl, .p, .p3, .html,
.webarchive, .zip, .xsl, .xslx, .docx, .ppt, .pptx, .keynote, .js,
.sqlite3, .wallet, .dat
When encryption is completed, it creates a text file named READ_ME_NOW.txt
with the ransom instructions.
Also, the message in Fig.3 does not contain any email address to contact
the hackers for decryptor after the ransom has been paid. This makes it
impossible for attackers to identify victims who have paid ransomware. This
leads to suspicion that ransomware may be used for spying and other
malicious activity.
ThiefQuest downloads Python scripts disguised as GIFs and then run them. If
a file matches the search criteria, it will base64 encode the file contents
and send it to C&C server. These files include text files, images, Word
documents, SSL certificates, code-signing certificates, source code,
projects, backups, spreadsheets, presentations, databases, and
cryptocurrency wallets.
Indicators of compromise:
Websites:
hxxp://andrewka6[d0t]pythonanywhere[d0t]com/ret[d0t]txt
hxxp://167[d0t]71[d0t]237[d0t]219
File locations:
/var/root/.aespot
~/.aespot
~/Library/LaunchAgents/com.apple.abtpd.plist
~/Library/PrivateSync/com.abtpd.questd
~/Library/LaunchDaemons/com.apple.abtpd.plist
~/Library/PrivateSync/com.abtpd.questd
Hashes:
06974e23a3bf303f75c754156f36f57b960f0df79a38407dfdef9a1c55bf8bff
d18daea336889f5d7c8bd16a4d6358ddb315766fa21751db7d41f0839081aee2
c5a77de3f55cacc3dc412e2325637ca7a2c36b1f4d75324be8833465fd1383d3
Countermeasures and Best practices for prevention:
Users are advised to disable their RDP if not in use, if required, it
should be placed behind the firewall and users are to bind with proper
policies while using the RDP.
All operating systems and applications should be kept updated on a regular
basis. Virtual patching can be considered for protecting legacy systems and
networks. This measure hinders cybercriminals from gaining easy access to
any system through vulnerabilities in outdated applications and software.
Avoid applying updates / patches available in any unofficial channel.
Restrict execution of Power shell /WSCRIPT in an enterprise environment.
Ensure installation and use of the latest version of PowerShell, with
enhanced logging enabled. Script block logging and transcription enabled.
Send the associated logs to a centralized log repository for monitoring and
analysis.
ml
Establish a Sender Policy Framework (SPF) for your domain, which is an
email validation system designed to prevent spam by detecting email
spoofing by which most of the ransomware samples successfully reaches the
corporate email boxes.
Application whitelisting/Strict implementation of Software Restriction
Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths.
Ransomware sample drops and executes generally from these locations.
Don't open attachments in unsolicited e-mails, even if they come from
people in your contact list, and never click on a URL contained in an
unsolicited e-mail, even if the link seems benign. In cases of genuine URLs
close out the e-mail and go to the organization's website directly
through browser.
Block the attachments of file types,
exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
Consider encrypting the confidential data as the ransomware generally
targets common file types.
Perform regular backups of all critical information to limit the impact of
data or system loss and to help expedite the recovery process. Ideally,
this data should be kept on a separate device, and backups should be stored
offline.
Network segmentation and segregation into security zones - help protect
sensitive information and critical services. Separate administrative
network from business processes with physical controls and Virtual Local
Area Networks.
Install ad blockers to combat exploit kits such as Fallout that are
distributed via malicious advertising.
References
ile-stealing-mac-wiper-in-disguise/
- -macos-users/
mware-victims/
ware-spyware-and-data-theft-into-one/