Heads up Mac users! Don’t fall for the Little Snitch free version offered on different forums. In fact, this applies to every premium software that the provider offers for free. A new ransomware ‘ThiefQuest’ is in the wild targeting Mac devices via pirated software.
ThiefQuest Ransomware Targets Mac Users
Reportedly, a researcher Dinesh Devadoss caught a new malware in the wild targeting Mac devices. Disclosing about it in a tweet, the researcher stated that he found the malware impersonating the Google Software Update Program.
#macOS #ransomware impersonating as Google Software Update program with zero detection.
MD5:
522962021E383C44AFBD0BC788CF6DA3 6D1A07F57DA74F474B050228C6422790 98638D7CD7FE750B6EAB5B46FF102ABD@philofishal @patrickwardle @thomasareed pic.twitter.com/r5tkmfzmFT— Dinesh_Devadoss (@dineshdina04) June 29, 2020
Nonetheless, further analyses of the malware revealed that that is not the only source through which the malware disseminated. Rather, the malware, precisely, ransomware, first named an EvilQuest, then renamed as ThiefQuest, actually spread through many sources.
According to Patrick Wardle’s analysis, he caught the malware sample packaged as a pirated copy of the popular music software ‘Mixed In Key’. Whereas, Thomas Reed of Malwarebytes found it packaged as the pirated version of Little Snitch – a macOS application firewall.
So, it seems the threat actors may have hidden the ThiefQuest ransomware in various false apps for Mac devices.
In brief, upon reaching the target device after the victim installs the fake app. Along with the legit installer, the package also downloads an executable file named ‘patch’ on the device. This would, in turn, launch the malware whilst establishing the infected device’s communication with the C&C server.
Besides, the malware also possesses features to evade detection by security tools. For instance, it checks the device for the existence of any popular antimalware services. Plus, it renames the ‘patch’ file as ‘CrashReporter’ – an otherwise legit macOS process. Hence, it escapes detection even if seen in the Activity Monitor.
Malware Seems In Development
Currently, the researchers believe that the malware is under development as it does not vigilantly encrypt the files.
Nonetheless, the threat actors behind this malware seem to use this ransomware for various purposes as they pack multiple features in it. For instance, it installs keylogger to log sensitive details such as passwords.
Hence, Mac users should remain very careful while downloading any apps or software to their systems. Make sure to interact with legit service providers only. Avoid downloading any cracked versions or pirated copies of the tools to stay safe from Mac malware.
