Last week a worrying piece of malware which targeted macOS started grabbing the attention of the cybersecurity sector.
The malware was originally called EvilQuest but since then the name has changed to ThiefQuest. This change in name according to Malwarebytes Labs, is because EvilQuest was the name of a real game.
ThiefQuest then was widely regarded as ransomware because of the ransom note that victims were shown. There’s also the fact that user data was encrypted so it wasn’t just assumed that this was ransomware.
ThiefQuest was being spread through torrent files and targets macOS specifically.
However it seems that, aas the days have worn on, researchers have noted a few oddities with ThiefQuest.
These oddities include: a ransom of $50 rather than the usual demand of a specific amount of Bitcoin, lack of an email address to contact the attacker and the fact that the decryption routine could never actually run.
“This, plus the strange reluctance shown by the malware to actually encrypt anything, suggests that the ransom is merely a distraction,” writes director of Mac and Mobile at Malwarebytes, Thomas Reed.
This doesn’t mean that ThiefQuest won’t encrypt your files, it can, but Reed suspects that the malware has another goal.
“This malware appears to also include code for keylogging and for opening a backdoor to give the attacker prolonged access to your Mac,” says Reed.
Worse still, the malware may attach itself to executable files so that when a user runs what they think is a legitimate application, a malicious version is run instead with the user being none the wiser.
So should users try to remove the malware? Of course but the damage might be more than a removal tool can help with according to Reed.
“It’s entirely possible that executable files on an infected Mac may have been modified maliciously, and these changes may not be detected by antivirus software. Even if they are, removal of those files may cause damage to software on your system. Thus, because of this danger and the likely damage to user data, it may be prudent to restore an infected system from backups rather than trying to disinfect it,” says the director.
For macOS users who have had their data encrypted, SentinelOne has developed a free decryption tool you can download from GitHub here.
However, with Reed’s words still ringing in our ears we’ll keep an eye out for any additional news regarding ThiefQuest to see if ransomware was always the play or if it is indeed just a red herring for something a lot more serious.
This should serve as a reminder to backup all of your important data regularly, no matter which platform or system you prefer working on.