Recently we published an introduction to EvilQuest malware. Debunking the old belief that macOS is virus-free. EvilQuest belongs to the family of ransomware that had caught the attention of many Information Security experts since it is targeting mainly the MacOS system. Following the path of KeRanger and Patcher – popular infiltrator program for macOS, EvilQuest used the same behavior but more evasive and genuinely stable from its predecessor. The code used was said to be derived from a trojanized version of macOS that is available on many torrent sites and the dark web.
Distribution through Pirated Apps
As previously mentioned, In a recent article, the malicious code heeds itself through pirated apps available on the internet. Since the system is well packaged and duly signed, it can deceive a lot of victims and the OS itself. It hid as Apple’s CrashReporter or Google Software Update. Thus, these apps can acquire legitimate Apple App Certification that makes it stealthily installed onto the system. With this feature, it can bypass the multi-layered security imposed on the macOS system. Once executed, its persistent feature will continue to work as it is also programmed to restart every time a user logged in.
Like KeRanger and Patcher, the ransomware also does not execute immediately onto the system. Else, it incubates for days on to the system before it does its malicious activity, which is unusual. The malware ensures that it also bypasses the security protocol in any sandbox environment. It does the trick by stopping the malicious code immediately once detected before the desired application installs on the targeted user profile.
EvilQuest starts to work on its prey – simulating the infection
After the incubation period, EvilQuest starts to work on its prey by disabling any antivirus or malware program installed on the targeted system. Once done, its sneaky infiltration will scan the whole system targeting relevant documents and mainly cryptocurrency activity. Similar to a typical ransomware application, the said application features a command-and-control capability that will let the perpetrator do further damage to the compromised system. The next phase is to encrypt sensitive files and then send a message to the user to ask for money in exchange for the decryption code. Else the data will be left locked after a 72-hour deadline.
Currently, researchers are still checking for any weak points on the encryption function of this ransomware to mitigate its damage. Cybersecurity experts who submitted the report added a bit of advice, to always have a backup of essential files that are stored on a removable drive to ensure data are protected. Such encryption will be pointless on these types of attacks.