Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

New EvilQuest ransomware targets macOS users

Experts discovered a new ransomware dubbed EvilQuest designed to target macOS systems, it also installs a keylogger and a reverse shell to take over them. Security experts have uncovered a new piece of ransomware dubbed EvilQuest designed to encrypt macOS systems, it is also able to install additional payloads and potentially take over the infected […]

evilquest ransomware

Experts discovered a new ransomware dubbed EvilQuest designed to target macOS systems, it also installs a keylogger and a reverse shell to take over them.

Security experts have uncovered a new piece of ransomware dubbed EvilQuest designed to encrypt macOS systems, it is also able to install additional payloads and potentially take over the infected machine.

Unlike other MacOSx threats, EvilQuest also installs a keylogger, a reverse shell, and steals cryptocurrency wallets from infected hosts.

EvilQuest was first spotted by K7 Lab malware researcher Dinesh Devadoss while it was impersonating as Google software update program.

The malware was also analyzed by Malwarebytes Director of Mac & Mobile Thomas ReedPrincipal Security Researcher at Jamf Patrick Wardle, and Phil Stokes, macOS security researcher at SentinelOne.

EvilQuest includes anti-analysis capabilities, it is able to check if it’s running in a virtual machine or a sandboxed environment and implements anti-debug capabilities.

The ransomware also checks for some common anti-virus solutions (e.g. Kaspersky, Norton, Avast, DrWeb, Mcaffee, Bitdefender, and Bullguard). According to Felix Seele, it establishes a reverse shell to communicate with the C2 server.

Using these capabilities the ransomware can gain full control over the infected system.

“Armed with these capabilities the attacker can main full control over an infected host!” reads the analysis wrote by Wardle.

According to the experts, the EvilQuest ransomware has been distributed in the wild since the beginning of June.

Threat actors have started distributing the ransomware in tainted pirated macOS software uploaded on torrent portals and online forums.

Patrick Wardle has found some samples of malware that have been hidden inside a pirated version of popular DJ software Mixed In Key, while Reed found it inside the macOS security tool Little Snitch.

Once encrypted the file on the infected host, a popup is displayed to the victim, informing it that its files have been encrypted.

The victims is directed to open a ransom note dropped on their desktop that includes instructions for the payment of the ransomware.

The ransomware currently targets the following file extensions, as reported by ZDNet:

.pdf, .doc, .jpg, .txt, .pages, .pem, .cer, .crt, .php, .py, .h, .m, .hpp, .cpp, .cs, .pl, .p, .p3, .html, .webarchive, .zip, .xsl, .xslx, .docx, .ppt, .pptx, .keynote, .js, .sqlite3, .wallet, .dat

MalwareBytes researchers noticed that the malware also attempts to modify some files specific that are part of GoogleSoftwareUpdate and attempt to use them to achieve persistence on infected hosts.

“Even more bizarre—and still inexplicable—was the fact that the malware also modified the following files:

/Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/crashpad_handler
/Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateDaemon
/Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/ksadmin
/Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/ksdiagnostics
/Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/ksfetch
/Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/ksinstall

These files are all executable files that are part of GoogleSoftwareUpdate, which are most commonly found installed due to having Google Chrome installed on the machine.” states MalwareBytes. “These files had the content of the patch file prepended to them, which of course would mean that the malicious code would run when any of these files is executed. However, Chrome will see that the files have been modified, and will replace the modified files with clean copies as soon as it runs, so it’s unclear what the purpose here is.”

One of the tools developed by Patrick Wardle, named RansomWhere, is currently able to detect and stop the EvilQuest ransomware.

In the past, other ransomware already targeted macOS users, including KeRanger, Patcher, FileCoder and Mabouia.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]