ThiefQuest Ransomware for the Mac

There's a new ransomware for the Mac called ThiefQuest or EvilQuest. It's hard to get infected:

For your Mac to become infected, you would need to torrent a compromised installer and then dismiss a series of warnings from Apple in order to run it. It's a good reminder to get your software from trustworthy sources, like developers whose code is "signed" by Apple to prove its legitimacy, or from Apple's App Store itself. But if you're someone who already torrents programs and is used to ignoring Apple's flags, ThiefQuest illustrates the risks of that approach.

But it's nasty:

In addition to ransomware, ThiefQuest has a whole other set of spyware capabilities that allow it to exfiltrate files from an infected computer, search the system for passwords and cryptocurrency wallet data, and run a robust keylogger to grab passwords, credit card numbers, or other financial information as a user types it in. The spyware component also lurks persistently as a backdoor on infected devices, meaning it sticks around even after a computer reboots, and could be used as a launchpad for additional, or "second stage," attacks. Given that ransomware is so rare on Macs to begin with, this one-two punch is especially noteworthy.

Posted on July 6, 2020 at 6:43 AM • 11 Comments


SmithJuly 6, 2020 3:09 PM

Unfortunately *ANY* software Apple hasn't signed off on - err *cough* been paid handsomely for a signature on - pops up those exact same warnings.

Consider the software you might want to run: Emacs, GIMP, Inkscape, VLC, Chrome, Firefox, Thunderbird, Steam, Dosbox, WINE, ffmpeg, etc, etc, etc. And that's before we get into gaming (direct downloads). Or Fink / MacPorts / HomeBrew / etc. How much of that do you download off the internet, and get the same warnings?

Apple could have been great, doing something like Ubuntu or Red Hat with a vast library of software available. Instead they charge a fortune to develop "authorized" software, and collect 30% from their app store.

Shit like Thiefware was bound to happen.

(And, as long as I'm writing, I'll point out that Apple recently went 64-bit only, breaking much software including WINE, and is now switching over to ARM CPUs for their laptops. They claim their rosetta software will let existing x86 software run just fine on the ARM, but their benchmarks are awfully low. And for some reason they're comparing benchmarks of an ARM laptop running rosetta against benchmarks from an ARM Tablet, rather than against an x86 computer. Meanwhile Ubuntu & WINE are running all my old Windows software, even graphically intensive MMORPGs (low settings), on a bottom-end Ryzen3/Vega3 laptop. I don't know how all this is going to play out, but the next few years look to be interesting.)

JonKnowsNothingJuly 6, 2020 5:09 PM

re: Apple malware generally

I remember when (as the common saying goes):

When Apple and those that Craved All Apples, said Apple Products NEVER EVER got malware, virus, or bad-news-software. There was an Apple-Snob in every company looking down at the rest of IT while we engaged in M$ slugfests with every possible permutation of malware. We wiped and reinstalled hard drives with such regularity that we could do it while sleep deprived.

It might be that Apple finally figured out that for every "impossible to remove" nasty found in a unit or network, led to "replacement buying as a workaround" since the beyond fixing device was binned.

This "Buy a Replacement Policy" became "The Fix" of choice.

  "The fix is in the next upgrade / product release / updated OS",
   most of which is not backward compatible.

The Fix is certainly in...

wiredogJuly 7, 2020 5:35 AM

Apple hasn't run any benchmarks, and the EULA for the new dev boxes specifically states that benchmarks can't be run. PC Magazine ran some benchmarks which were heavily caveated as to their theoretical nature.

Petre Peter July 7, 2020 6:52 AM

As the Mac gets more popular, it will attract more and more virus and malware writers.

smithJuly 7, 2020 5:08 PM

@ JonKnowsNothing:

Been there, done that. I opted for Linux boot and ntfsclone'ing. Or dd'ing the whole drive. Did that soo many times. Drive-by malware was a PITA. Nuking it from orbit was the only way to be sure.

@ wiredog:

I've seen some benchmarks from Apple. But like I said, comparing ARM+Rosetta to plain ARM, and the numbers were worse than a $200 x86 Walmart laptop.

@ Petre Peter:

Yup. It gets worse. I can run all my Windows software, everything I've thrown at it so far and I've tried a lot, under Ubuntu with WINE (devel version).

But unfortunately WINE lets you run Windows viruses under Ubuntu too...

Clive RobinsonJuly 7, 2020 8:37 PM

@ smith,

But unfortunately WINE lets you run Windows viruses under Ubuntu too...

That is true of any "emmulation". After all it would not be "emmulating" fully / properly / correctly if it did not.

Kind of a Catch-22 at first sight. However WINE can be not jus "sandboxed" but "instrumented" if you do it right. It's what a number of malware researchers do.

Thus the question arises of,

"Can an instrumented sandbox, still do usefull work in the presence of malware?"

And the answer is with some caution / provision Yes. That is software that behaves like a "filter" that reads data and outputs totals / sumeries / etc will not be effected by most malware (but ransomware probably).

Thus the trick is "mitigating" the malware. Back in days long past someone came up with the idea of "Unix Jails" via "chroot" or "change filesystem root". That is a process got it's own private copies of the parts of the system critical files it needed to operate. So if it damaged those files only that process would be effected.

Fly forward a decade or three where memory is not an issue, you can build a file system in memory via a loopback interface thus the jail can be entirely volatile and reloaded from "safe backup" every time the program is executed. It's the same idea as running the entire OS in RAM from a "Live CD" etc.

Well as you are probably aware you can do the same with Virtual Machines.

So yes you can run Malware infested Win programs on WINE in not just a safe but a productive way under some circumstances.

I've done this years back for some 16bit DOS programs using "DOS_Merge under AT&T SysV r4 Unix", when Microsoft in effect stopped 16bit .com programs running. This was necessary because they were still running "mission critical" hardware etc like PABX's, CPU hardware ICE / Emulators, very expensive laboratory test equipment / instrumentation, and even multi million dollar industrial plant, which the manufacturers would not support except on old hardware and OS's...

WeatherJuly 7, 2020 8:58 PM

Vmm can be useful but you can't set hardware breakpoint.

When I reverse engenner a program, I sig NAL step through everything.

The problems with Vmm is you can't set a hardware breakpoint,, most of the time its software .
Meaning you have to download that virus onto your computer.

If you want updated I can explain how from exe to bug..

SpaceLifeFormJuly 8, 2020 2:55 AM

Free decryptor available for ThiefQuest ransomware victims. Even if one can recover their critical data,
I would still wipe and start over.



dancing on thin iceJuly 11, 2020 10:05 AM

"As the Mac gets more popular, it will attract more and more virus and malware writers."

Apple's Classic OS was more prone to malware than Windows when they has a small market share.

BuggyJuly 12, 2020 1:36 PM

I'm no fanboy, but there's some serious anti-Mac baloney in here. I've been using Macs for 30+ years. I run Steam and FireFox ... I don't need to download a skeevy package and go around Apple security to do so. Back in the day, I worked in Windoz shops, and even the ones that spent a ton more on security than any Apple shop had far more breaches (and data loss). The Mac has regained some market share, and if you read this blog or Krebs, tell me what the ratio of Mac-to-Windows articles is. Yes, it will get more problems when it gets more attention; no, it is not as easy to compromise as Windows. Jeezum, just look at the monthly Windows patches and the number and severity of holes they patch, vs. the far-less-than-monthly Mac security updates. MS is not building products with great security, because it's not a marketable "feature." Apple at least gives lip service to the concept of building in security from the ground-up.

Mike D.July 13, 2020 1:11 AM

Emacs, GIMP, Inkscape, VLC, Chrome, Firefox, Thunderbird, Steam, Dosbox, WINE, ffmpeg, etc, etc, etc.

I build those in Macports or download the official installers and haven't gotten a "unrecognized signer" or "no signature" or whatever warning. Because they sign their software. In the security settings, "App store and identified developers" is set.

See Signing Your Apps for Gatekeeper for details on the signing process. The App Store is not involved in this process, nor does it cost money. It's about as onerous as GPG signing packages for Linux.

And that's before we get into gaming (direct downloads). Or Fink / MacPorts / HomeBrew / etc. How much of that do you download off the internet, and get the same warnings?

I've downloaded MacPorts off the internet and gotten no warnings. The MacPorts installer is signed, and code built by MacPorts (or Xcode in general) on your machine is considered legit. The only thing I had to do was tell XCode to install the additional command line tools and accept the licenses.

The App Store is still a walled garden, but it's not the sole source of software like it is on iOS.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.