On Sunday 28 June, security researcher Dinesh Devadoss wrote on Twitter about a new malware program that is not yet being detected by any antivirus engines. The Malware has been named Evilquest.
#macOS #ransomware impersonating as Google Software Update program with zero detection.
MD5:
522962021E383C44AFBD0BC788CF6DA3 6D1A07F57DA74F474B050228C6422790 98638D7CD7FE750B6EAB5B46FF102ABD@philofishal @patrickwardle @thomasareed pic.twitter.com/r5tkmfzmFT— Dinesh_Devadoss (@dineshdina04)
June 29, 2020
Thomas Reed of Malwarebytes discovered that the malicious code had been spread in pirated Mac programs on a Russian torrent forum Rutracker. Most notably it has been found in an infected copy of Little Snitch – a program that, ironically, is usually used to protect users from malicious activity. Evilquest has also been found in DJ software Mixed In Key 8 and a Google Software Update.
The program installs itself in several places in the system and tries to hide behind names like “com.apple.questd” and “CrashReporter”. If you install it on your computer it will begin encrypting files. Some time later you will see a blackmail message asking for $50 bitcoin to decrypt your files.
According to research by Reed, the software installs a legitimate version of Little Snitch and at the same time loads an executable file “patch” that installs the actual malware. After installing there will be a delay of three days so that the user does not associate any problems with the just installed program. Then after three days have passed the malware began to encrypt files and after that it will demand a ransom. Reed also found traces of a keylogger that registers all keystrokes.
However, it seems that the malware doesn’t actually work that well. The security researcher reported that problems occurred during installation. He also suggested that the authors of the malware are not very familiar with the Mac file structure, because keychain data and settings data were also encrypted, which lead to prominent error messages. Forum users reported that they received the ransom note, but Reed actually failed to get his variant of the malware to run.
To protect yourself from this and other malware: Only download software from a legitimate source. We have this guide to what to do if you experience a ransomware attack here.
If you’re looking for AV buying advice, read our roundup of the Best Mac antivirus and Do Macs get viruses?; general advice can be found in our Mac security tips; and those who think they have been hit by a virus should try How to remove Mac viruses. We also have a full list of Mac viruses here.
Parts of this article were translated from Macworld Sweden and Macwelt by Karen Haslam.
Via MACWORLD