According to several independent reports from K7 Lab malware researcher Dinesh Devadoss, Patrick Wardle, and Malwarebytes, the ransomware variant — dubbed "EvilQuest" — is packaged along with legitimate apps, which upon installation, disguises itself as Apple's CrashReporter or Google Software Update.
Besides encrypting the victim's files, EvilQuest also comes with capabilities to ensure persistence, log keystrokes, create a reverse shell, and steal cryptocurrency wallet-related files.
With this development, EvilQuest joins a handful of ransomware strains that have exclusively singled out macOS, including KeRanger and Patcher.
The source of the malware appears to be trojanized versions of popular macOS software — such as Little Snitch, a DJ software called Mixed In Key 8, and Ableton Live — that are distributed on popular torrent sites.
"To start, the legitimate Little Snitch installer is attractively and professionally packaged, with a well-made custom installer that is properly code signed," Thomas Reed, director of Mac and mobile at Malwarebytes, said. "However, this installer was a simple Apple installer package with a generic icon. Worse, the installer package was pointlessly distributed inside a disk image file."
Once installed on the infected host, EvilQuest does a sandbox check to detect sleep-patching and comes equipped with anti-debugging logic to ensure the malware program is not running under a debugger.
"It's not unusual for malware to include delays," Reed said. "For example, the first-ever Mac ransomware, KeRanger, included a three-day delay between when it infected the system and when it began encrypting files. This helps to disguise the source of the malware, as the malicious behavior may not be immediately associated with a program installed three days before."
It also kills any security software (e.g., Kaspersky, Norton, Avast, DrWeb, McAfee, Bitdefender, and Bullguard) that may detect or block such malicious behavior on the system, and sets up persistence using launch agent and daemon property list files ("com.apple.questd.plist") to automatically restart the malware each time the user logs in.
In the last stage, EvilQuest launches a copy of itself and starts encrypting files — counting cryptocurrency wallet ("wallet.pdf") and keychain related files — before eventually displaying ransom instructions to pay $50 within 72 hours or risk leaving the files locked.
But EvilQuest's features go beyond typical ransomware, including the ability to communicate with a command-and-control server ("andrewka6.pythonanywhere.com") to remotely execute commands, initiate keylogger, create a reverse shell, and even execute a malicious payload directly out of memory.
"Armed with these capabilities, the attacker can maintain full control over an infected host," Wardle said.
While work is on to find a weakness in the encryption algorithm to create a decryptor, it's recommended that macOS users create backups to avoid data loss and use a utility like RansomWhere? to thwart such attacks.
"The best way of avoiding the consequences of ransomware is to maintain a good set of backups," Reed concluded. "Keep at least two backup copies of all important data, and at least one should not be kept attached to your Mac at all times."