Cybersecurity researchers this week discovered a new type of ransomware targeting macOS users that spreads via pirated apps.
According to several independent reports from K7 Lab malware researcher Dinesh Devadoss, Patrick Wardle, and Malwarebytes, the ransomware variant — dubbed “EvilQuest” — is packaged along with legitimate apps, which upon installation, disguises itself as Apple’s CrashReporter or Google Software Update.
Besides encrypting the victim’s files, EvilQuest also comes with capabilities to ensure persistence, log keystrokes, create a reverse shell, and steal cryptocurrency wallet-related files.
With this development, EvilQuest joins a handful of ransomware strains that have exclusively singled out macOS, including KeRanger and Patcher.
The source of the malware appears to be trojanised versions of popular macOS software — such as Little Snitch, a DJ software called Mixed In Key 8, and Ableton Live — that are distributed on popular torrent sites.
“To start, the legitimate Little Snitch installer is attractively and professionally packaged, with a well-made custom installer that is properly code signed,” Thomas Reed, director of Mac and mobile at Malwarebytes, said. “However, this installer was a simple Apple installer package with a generic icon. Worse, the installer package was pointlessly distributed inside a disk image file.”
images from Hacker News