Detecting, Preventing and Remediating EvilQuest Ransomware

Once again, a new ransomware variant attacking macOS systems is in the news, dubbed EvilQuest or ThiefQuest. The fact that it is targeting Macs instead of Windows systems already makes it interesting, but let’s dig into what it means for organizations.

July 8 2020 by

Matthias Wollnik

Once again, a new ransomware variant attacking macOS systems is in the news, dubbed EvilQuest or ThiefQuest. The fact that it is targeting Macs instead of Windows systems already makes it interesting, but there’s more here. Let’s dig into what makes this ransomware interesting and what it means to organizations.

It’s spreading…

This malware brings back the old adage “just because you can doesn't mean you should.” The primary way to currently get infected with EvilQuest is to download pirated (aka illegal copies of) popular software, primarily via BitTorrent. Any security team should see a number of red flags in the sentence above as to why this should never happen in their organization’s environment. But end users make mistakes…

Let’s look at what happens when an installer containing EvilQuest makes it onto a Mac.

Persistence

Apple’s macOS has a number of strong security mechanisms in place. One of these require that any application or installer that is not signed by the developer requires an end user to agree to launching it:

Of course, we hope our users are well trained enough to recognize that they just downloaded a commercial product, their Mac is telling them that it’s not a valid commercial package and that they probably should hit Cancel.

When the end user hits Open, the malware installs itself as a launch item (either a launch daemon or a launch agent) named com.apple.questd.plist. This launch item points to the malware’s binary (named com.apple.questd) and ensures that each time the end user logs in, the malware is automatically re-executed. To ensure security and IT teams have a hard time removing EvilQuest, it then also injects itself into various other executables already on the Mac.

Removing the com.apple.questd.plist launch item then simply isn’t enough to eradicate the malware.

Impact

EvilQuest basically attacks the system in three ways:

  1. Exfiltration of files: EvilQuest scans the system for certificates, keys and cryptocurrency wallets. Those are then sent back to the attacker for further exploiting.
  2. Remote control: The malware allows an attacker to effectively take control of an infected device. They can execute arbitrary scripts, log keystrokes and exfiltrate interesting data beyond the previously mentioned types.
  3. Encryption: Like traditional ransomware, EvilQuest will then proceed to encrypt all of a user’s files and request a ransom from the user.

Detecting infected devices

With the attention EvilQuest has been getting, we now have a pretty good understanding of how to detect it in your environment. Some of these Indicators of Compromise (IoCs) include the following files:

 /Library/mixednkey/toolroomd

/Library/AppQuest/com.apple.questd

~/Library/AppQuest/com.apple.questd

/Library/LaunchDaemons/com.apple.questd.plist

~/Library/LaunchAgents/com.apple.questd.plist

Jamf Protect detects and prevents the execution of all of these as well as various other IoCs of known EvilQuest variants. For new variants and as an early warning before EvilQuest attempts to run, Jamf Protect identifies the persistence mechanism used by this malware and will alert security teams.

Furthermore, organizations should limit the use of BitTorrent tools in their environment. With Jamf Protect endpoint security protection, organizations can configure threat prevention to block the execution of most popular BitTorrent clients on your organization’s Macs. A good starting point for TeamIDs to block that the MacAdmin’s community started to collect (note: Jamf did not contribute to this, nor can we verify these as correct or complete) can be found here.

If the end user can’t run the illegal software that EvilQuest uses as a transport vehicle, their devices are much less likely to get infected.

What do we do with an infected machine?

Unfortunately, due to the malware’s viral nature and the encryption mechanism used, this is going to be a bigger recovery effort.

Step 1: Create a backup of the encrypted data

This is generally a good first step when faced with a ransomware infection. If a generic decryption tool is available, you’ll want to run it on a copy of the data outside of an infected machine. This way you have a copy of the encrypted data.

In the case of EvilQuest, SentinelOne just released such a tool to recover the encrypted data at https://github.com/Sentinel-One/foss/tree/master/s1-evilquest-decryptor. As a best practice, be careful not to run decryption tools on an infected machine. Decryption tools generally affect the encrypted data — not the live malware.

Step 2: Clean the system

Since this particular malware spreads deeply into infected systems, you should wipe the drive and fully reinstall macOS. If you are using Jamf to manage your devices, you can find instructions on making it easy to remotely re-deploy macOS to an infected machine on our blog https://www.jamf.com/blog/reinstall-a-clean-macos-with-one-button/.

Step 3: Restore clean data

A good backup solution for the end-user data in question is key. Ransomware does not always have generic decryption tools available. Even if it does (or you decide to pay the ransom… please try not to; it only encourages the attackers), there is no guarantee that all data will be recovered.

After you have a clean device, bring back the user’s data from your backup solution.

Where do I go for the full technical breakdown of EvilQuest?

Our principal security researcher Patrick Wardle has spent quite a bit of time detailing the inner workings of this malware in his “OSX.EvilQuest Uncovered” posts: https://objective-see.com/blog/blog_0x59.html and https://objective-see.com/blog/blog_0x60.html

It seems he even caught the attention of the malware authors…

https://twitter.com/Myrtus0x0/status/1280648821077401600

Put security best practices to the test.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.