This week, cybersecurity investigators found a new type of ransomware attacking macOS users that spreads through plagiarized apps.
As per many independent reports, the ransomware variant — called “EvilQuest” — is packed along with genuine apps, which once installed, camouflages itself as Apple’s CrashReporter or Google Software Update.
As well as encoding the victim’s files, EvilQuest contains competencies to guarantee tenacity, log keystrokes, generate a reverse shell, and snip cryptocurrency wallet-related files.
The source of the malware seems to be trojanized versions of popular macOS software that are distributed on prevalent torrent sites.
“To start, the legitimate Little Snitch installer is attractively and professionally packaged, with a well-made custom installer that is properly code signed,” Thomas Reed, director of Mac and mobile at Malwarebytes, said. “However, this installer was a simple Apple installer package with a generic icon. Worse, the installer package was pointlessly distributed inside a disk image file.”
Once installed on the infected host, EvilQuest carries out a sandbox check to spot sleep-patching and comes armed with anti-debugging reason to ensure the malware program is not running under a debugger.
“It’s not unusual for malware to include delays,” Reed said. “For example, the first-ever Mac ransomware, KeRanger, included a three-day delay between when it infected the system and when it began encrypting files. This helps to disguise the source of the malware, as the malicious behavior may not be immediately associated with a program installed three days before.”
“Armed with these capabilities, the attacker can maintain full control over an infected host,” Wardle said.
While work is underway to find a flaw in the encryption algorithm to create a decryptor, it’s suggested that macOS users create backups to circumvent data loss and use a utility like RansomWhere to prevent such attacks.
“The best way of avoiding the consequences of ransomware is to maintain a good set of backups,” Reed concluded. “Keep at least two backup copies of all-important data, and at least one should not be kept attached to your Mac at all times.”