Mac users should be careful: the OSX.EvilQuest software currently in use has a keylogger and reverse shell and can empty cryptocurrency wallets on infected workstations.
Much less common than on PCs, ransomware can also poison the lives of Mac users. This was notably the case in 2017 when researchers from Enset published an alert relating to the OSX ransomware / Filecoder.E. The latest, OSX.EvilQuest, was discovered by K7 Computing security researcher Dinesh Devadoss and analyzed by Malwarebytes and Objective-See. It can be found on online forums as well as in torrent sites. All the more reason to be careful about downloading pirated files. Encapsulated in foolish installers of programs known to Mac users (DJ Mixed In Key software, Ableton Live production and creation, Little Snitch firewall …), this ransomware is far from being detected automatically by anti-virus software.
“The installation program also contained a post-installation script – a shell script that is executed after the installation process is complete. It is normal for this type of installation program to contain pre-installation and / or post-installation scripts, for preparation and cleaning, but in this case, the script was used to load the malware and then launch the program. legitimate installation of Little Snitch, “said security researcher Thomas Reed at Malwarebytes. And Patrick Wardle, cybersecurity expert and founder of Objective-See to indicate: “As the installation program requires root privileges during installation, this script (and therefore the toolroomd binary) will also run with root privileges “
Integrated protections against anti-malware scans
Once activated, the ransomware then begins its file encryption work on the infected Mac: “The malware installed via the Mixed In Key installer was also reluctant to start encrypting files for me. I let it run on a real machine for a while without result, then started playing with the system clock. After putting it three days in advance, disconnected from the network and restarting the computer several times, it finally started encrypting the files, ”said Thomas Reed. Any type of file, including keychain leading to system identification problems, resetting the appearance of elements in the Dock …
To protect itself from anti-malware analyzes, OSX.EvilQuest embeds debugger functions at process level (is_debugging) but also executable in a virtual machine (is_virtual_mchn). In addition to that, a keylogger is also present (CGEventTapCreate) and this ransomware is able to open a reverse shell to a command and control server and also to detect – presumably to exfiltrate – virtual wallets ( wallet.pdf, wallet.png, key.png, .p12 …).
The importance of safeguarding
“If your files are encrypted, you cannot know how dire the situation can be. It depends on the encryption and how the keys are processed. It is possible that additional searches lead to a method of decrypting files, and it is also possible that this does not happen. The best way to avoid the consequences of ransomware is to maintain a good set of backups. Keep at least two backup copies of all important data, and at least one should not be attached to your Mac at all times. The ransomware can try to encrypt or damage the backups on the connected disks ”, warns Thomas Reed.