Apple ThiefQuest

While Windows PCs are generally more at risk for malware than Apple computers, this doesn’t mean that macOS users shouldn’t be vigilant online or know the telltale signs of hacking or scams. In fact, during the last week of June, security firm K7 Lab discovered a new ransomware strain that targets macOS. Over the past several weeks, the ransomware, known as ThiefQuest, has rapidly evolved as has our understanding of it.

While researcher Dinesh Devadoss from L7 Lab first tweeted about the malware on June 29th, it was soon discovered that ThiefQuest, which is sometimes also known as EvilQuest, had been spreading for much of the month. The ransomware was bundled with pirated software, including macOS itself as well as music apps Ableton and Mixed In Key and a security tool called Little Snitch.

ChaceTech continues to see a rise in cybersecurity threats facing many of our clients in the Houston marketplace.

How ThiefQuest Works

Immediately after infecting a system, the ransomware encrypts the victim’s files and displays a popup instructing the victim to pay to have access reinstated. A text file acts as a ransom note, displaying the Bitcoin wallet that the victim must submit payment to, and promising that decryption would start shortly after payment is made.

ThiefQuest is especially malicious because it not only victims from accessing their files by encrypting data but also installs a keylogger that tracks every key typed. Additionally, ThiefQuest installs a reverse shell and steals files related to cryptocurrency wallets that may be on the system. Through these actions, the scammers can steal money and control the infected system, even if the victim pays. ThiefQuest does not provide victims with any way to communicate with the scammers or verify the payment, which indicates that scammers have no plans to relinquish control over the infected systems.

Thomas Reed of Malwarebytes describes how the ransomware tries to modify files that Google’s Chrome browser uses to perform updates, and how newer variants may not include file encryption and the ransom note. The full purpose and extent of these modifications are unknown, however.

It’s easy to see how scammers could gain access to a victim’s username, password, or financial information after their system is infected with ThiefQuest. If the infected machine happens to be used for business, sensitive client information is also vulnerable. Some people may give in to the ransom to regain access to their files and minimize lost productivity. But there is no way to ensure that scammers will reinstate access or that the infected machine won’t remain vulnerable in the future.

Because ThiefQuest’s potency, researchers at Jamf, Malwarebytes, and SentinelOne have all been looking for vulnerabilities that would allow victims to reclaim their data. Researchers have yet to identify such a weakness, and victims should consider their data lost forever even if they pay the ransom. This highlights the importance of frequent data backups on both personal and business machines.

ThiefQuest is a cogent reminder of the security measures that we must undertake in the digital era. While pirated software has always been a risk, using torrents or file-sharing sites to download software that appears to be legitimate still presents a security risk.ThiefQuest victims with existing cryptocurrency wallets may stand to lose more than victims who do not own cryptocurrency, but by demanding that victims pay the ransom in Bitcoin, ThiefQuest gains access to all of that newly-created wallet information.

This new ransomware reminds us scammers will take any opportunity to steal, and while the risks to personal devices are great enough, business users who become victims stand to lose money and clients. Through proper employee training and IT technology, businesses can prevent unnecessary vulnerabilities and mitigate the damage caused by malware such as ThiefQuest.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.