EvilQuest

EvilQuest, also known as ThiefQuest, is a ransomware variant that targets macOS systems. EvilQuest also includes some information stealing and data exfiltration features. It is actively being enhanced with new features to avoid detection.

Symptoms

You might observe the following artifacts associated with this threat:

• Files rendered inaccessible with altered extensions.
• Presence of a ransom note demanding payment for file decryption.
• Unexpected system behavior, such as frequent crashes or degraded performance.
• Unauthorized network activity indicating potential data exfiltration.

Technical Breakdown

Upon execution, the malware performs the following actions:

• Persistence Mechanism: Installs itself as a launch item, ensuring execution upon subsequent user logins.
• File Encryption: Encrypts system files and displays a ransom note demanding payment for decryption.
• Data Exfiltration: Scans the system for sensitive information, including certificates, keys, and cryptocurrency wallets, and transmits them to the attacker's server.
• Remote Control Capabilities: Allows attackers to execute arbitrary scripts, log keystrokes, and exfiltrate additional data.

Notably, EvilQuest's ransomware functionality may serve as a decoy, with its primary objective being data theft and establishing persistent remote access.

Next Steps

Kandji Endpoint Detection & Response (EDR) automatically removes detected threats when file monitoring is set to Protect.

While the malicious file is removed, it can leave behind artifacts that need to be cleaned manually.

In the future, avoid downloading and installing software from torrent sources or untrusted websites. Ensure that all applications are obtained from official and reputable sources to maintain system integrity and security.