The new malware sample discovered this week, dubbed EvilQuest by security researchers, may be ushering in a new class of Mac malware, according to Thomas Reed, director of Mac and mobile with Malwarebytes.
While EvilQuest pretends to be ransomware, in the background itās actually using its ransomware functionalities as a front for exfiltrating large amounts of data, Reed said ā the first type of Mac malware that he has seen doing so. EvilQuest also features the ability to deploy a keylogger (for monitoring whatās typed into devices) and the capability to steal cryptocurrency wallets on the victimsā systems.
Overall, the new malware sample points to a rapidly evolving Mac landscape. In fact, for the first time ever, in 2019 researchers found that Macs had outpaced Windows PCs in the number of threats that were detected per endpoint. Reed discusses EvilQuest and other Mac threats in this weekās Threatpost podcast.
Listen below, or download direct here.
[
](<http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/15048341/height/360/theme/legacy/thumbnail/yes/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe>)
Below find a lightly edited transcript of the podcast.
**Lindsey OāDonnell Welch:**Hi, everyone, welcome back to the Threatpost podcast. Youāve got your host, Lindsey OāDonnell Welch here today with Threatpost. And weāre chatting today about Mac threats and one particular Mac targeting malware that was discovered just this week. So Iām joined today by Thomas Reed, who is the director of Mac and mobile with Malwarebytes, who is an expert in all things Mac and mobile security related. Thomas, thanks so much for joining me today.
Thomas Reed: Yeah, thank you for having me.
LO: So Iām sure that you have a lot going on on your endā¦ but thereās really a lot of things we can talk about today, I feel like thereās so much going on.
TR: Yeah, itās been really busy the last couple of days especially.
LO: I feel like we should start by addressing the more pressing news that has broken this week. And that is a new malware sample that is targeted toward Mac users, and thatās called EvilQuest. So Iām kind of interested in the analysis part of this, Thomas, because this malware sample was tweeted out on Monday by security researcher Dinesh Devadoss and basically within 24 hours, a bunch of Mac security experts, including yourself, including Patrick Wardle and others, had published analyses on this new malware and so I want to talk a little bit about the malware sample, but I also wanted to ask you a little bit about what goes into analyses when youāre looking at you know, newly discovered Mac malware samples or families like this one, like what are some of the first things you look for?
TR: Yeah, so one of the first things that Iām interested in finding out is, you know, what artifacts does the malware drop on the system when it runs? So for me, one of the first things that I will typically do is I will load up the malware on a test machine and run it and see what happens, see what it does, see what files it creates, what kind of network connections it makes, all that stuff. So basically doing a live test run so to speak and and just see what happens. And so, thatās usually the first thing that I will do and certainly, EvilQuest was no different. And then, after Iāve learned what I can from that, then I will go in and look into things like what is it actually doing that maybe I didnāt observe, things like, you know, what kind of code is there in the program, code thatās in some of the files that it drops and that sort of thing. And thatās how we reveal a little bit more of the full capabilities that may not always show up when youāre when youāre just running it and testing it.
**LO:**Right. Yeah, absolutely. And I know for EvilQuest, can you talk me through kind of what you discovered in terms of some of the capabilities that this malware has? I know, you know, thereās a lot of focus on the ransomware aspect of it, but it sounds like thereās also a couple of other functionalities that it has in terms of, you know, sniffing out crypto-wallets on the system, in terms of data exfiltration. So can you walk us through some of those?
**TR:**Yeah, absolutely. So from the start, we knew that this was ransomware, because we had, actually, before that original tweet there, I had gotten some information from somebody about a post on a Russian torrent forum where people had downloaded an installer, and it turned out to be loaded with ransomware. And they were getting ransomware messages, like the the ransom notes and that sort of thing. So I knew it was ransomware from the start, but when I ran it live on a system, I was having a lot of trouble getting it to actually encrypt anything. I wasnāt getting a ransom note or anything like that.
So it was a little bit frustrating because it wasnāt behaving the way that I knew that it was supposed to behave. So I did figure out what files that it dropped on the system. Although that initial list was a little incomplete because it didnāt drop everything that it did for some other people and for me on later installs. So right from the start, it seemed a little bit inconsistent, like maybe it was a little buggy or maybe somehow it had decided that I was running it in a suspicious environment, I donāt know. But so I went straight into the static analysis, looking at the code. And interestingly, the code, the compiled code had all the function names right there. So you could actually read through and see what all the functions were and what they were supposed to do, you know, so you could see there were functions for, you know, persistence, functions for encrypting and decrypting you know, and a number of other things. So you could see kind of a map of all the functionality laid out right there for you. So that was a nice little bonus, you donāt always get that with malware.
And so from the start, we thought it was ransomware. And that kind of where all the initial analysis landed. Interestingly, as weāve done further research into this, it looks like the ransom may not be real, it may be sort of a cover for other activities. Weāve ā and I worked a little with Lawrence Abrams at BleepingComputer on some of this ā and he had some very interesting revelations from his experience with Windows ransomware. So one of the interesting things to note is that the ransomware notes that were left on the computers, after comparing them from different computers, they all used exactly the same Bitcoin address. So thereās no way for the folks behind it to verify that that a particular individual paid. And then on top of that, thereās not an email address given anywhere. So you wouldnāt have any way to contact the people behind this to get your decryption key after you paid. So thatās highly suspicious. Thatās very, very weird. Thatās not what you would typically see for real ransomware.
**LO:**Right. Those are certainly red flags.
TR: Yeah, yeah. And then I was also doing some network analysis, seeing what kind of network transactions were going on. And I fired it up and was monitoring everything. And I was seeing hundreds of connection attempts to their command and control server. And when I dug into them, every single one of those connection attempts include two pieces of information, one was a file path to a file on my my test system and the second was a base-64 encoded string containing the contents of that file. So it was exfiltrating a huge amount of data. And there was a Python file that was hidden on the system that we found that was responsible for sending all that data. And you could you could look and see it had a whole list of file extensions that it was looking for. So it wasnāt exfiltrating everything but anything that matched certain file extensions that was in the userās folder.
LO: Thatās really interesting. Have you seen that method before of kind of ransomware being used as a cover for data exfiltration or other malicious activities in the background?
**TR:**Not on the Mac. No. And so I kind of feel like you know, being Mac researchers, that folks like me we were a little bit handicapped because we donāt have this this history of experience with ransomware that Windows researchers do. Weāve only ever actually seen three ransomware pieces of malware on the Mac, and they all dated back to around 2016, early 2017. And all of them are extinct at this point. None of them were particularly successful. They didnāt last very long and and we just donāt see them anymore.
**LO:**Am I correct in saying those three were KeRanger, FindZip and MacRansom?
**TR:**Thatās correct. I think I have never seen a copy of MacRansom detected on any end user system.
LO: Yeah, Iām curious why is ransomware so rare that targets Mac users? I mean, is it because of the users of Mac, is it the Macs themselves are difficult to deploy this ransomware against or whatās behind that?
TR: Honestly, I think that Mac users are kind of a ripe target for malware, because as I mentioned earlier there there are still are so many that believe that Macs are invulnerable to viruses, to malware. I think that Mac users are a particularly prone target. I think the main reason why we havenāt been targeted with ransomware as much, historically, is just because itās a smaller market share. So if youāre doing ransomware, thatās meant to just scatter widely and infect as many people as possible youāre going to have more targets on Windows than you are on Mac. So if you spend your time developing on the Mac, you have less targets and thus youāll make less money from your ransomware. So I think thatās really all there is to it. I do think that as Mac market share grows, we will have an increasingly likely risk of ransomware. But at the same time, Apple has done some things that can help mitigate some of those risks. So for example, when I ran this EvilQuest on a recent MacOS system, on one running 10.15. So MacOS Catalina, it required, it asked for a lot of permissions. So I saw this weirdly named process keep asking me for access to my documents, my desktop, my contacts, my calendars, etc, etc. And so thatās a big red flag. If youāre an end user, and all of a sudden, something you donāt recognize is asking for all those permissions. You may say no, and thatās kind of a barrier that may get in the way of future ransomware.
LO: Right. Thatās a really good point. And to your point earlier, I do think that there has been this historic view that Macs are immune from from all types of malware. And you know, clearly thatās not the case anymore. I mean, we can see that in this instance. And we can see that with other types of malware that have emerged. And I know that you released a 2020 State of Malware report earlier this year, where you found that, for the first time ever, Macs had outpaced Windows PCs in the number of threats that were detected per endpoint. And the report also saw a significant rise in the overall prevalence of Mac threats that were seeing in 2019. And I think you guys said it was like a 400 percent increase from 2018. So, you know, Iām sure part of that is due to kind of an increase in Mac endpoints themselves, but why do you think that youāre seeing this upward surge from a threat landscape perspective?
TR: Yeah, well I think part of it is just because the number of Mac users out there is growing, the Mac market share is expanding. Now is kind of a time where where PC sales have kind of slumped a lot of people are more interested in mobile, but the Mac market share still is managing to, to hold its ground or even grow. So thatās part of it, Iām sure. The other part of it, I believe, is that thereās this perception and it may or may not be valid in all cases. But the perception is that in general Mac users are a juicier target. And thereās potentially some validity to that. I mean, you can get a cheap Windows PC for a few hundred dollars, but there is not a Mac, anywhere, unless maybe youāre talking about a used Mac on eBay from 10 years ago, that would cost you that little. So, there may be some truth to that perception. And that may mean that, for stuff like this particular malware that does data exfiltration, there may be some very juicy data on your your Mac versus on a Windows machine, you know, if itās a Mac thatās owned by a an executive, or someone else who is highly placed in a company, then thatās very juicy data to have.
LO: Youāve definitely been covering Macās for a while now. What are some of the top threads that have only recently emerged that are facing Mac users specifically in 2020?
TR:mWell, yeah there hasnāt been a lot of new classes of threats in 2020. I would say that this EvilQuest is probably the first new class of malware that weāve seen in a very long time. You know, this is something a little bit different than ransomware. And itās something that really has been typically only seen on Windows not on Mac. But beyond that, itās mostly just been new variants of the same old thing. So new variants of things like backdoors, keyloggers, commercial spyware, adware, PUPs, all these different categories, those basic classes havenāt really changed on the Mac very recently.
LO: Right, in the report you had mentioned that the most prevalent types of threats for 2019 include adware and then also PUPs or potentially unwanted programs. And you know, adware seems to be big across mobile overall, by the way, but is it something that is kind of distributed evenly between Macs and Windows? Or is it kind of one versus the other? What are you seeing there in terms of where thatās being targeted?
TR: Yeah, we definitely see a lot of adware and PUP threats on the windows side as well. Itās a very large portion of the threat landscape on on all platforms. You know, especially PUPs, the potentially unwanted programs. Those are things that theyāre kind of on the border, but just a little, theyāre trying not to cross the line over to being actual malware. And so those are things that are can stay around and stay in business for years without any legal threats. They donāt have to worry about being taken off to jail or anything like that. And without being detected by a lot of antivirus programs. So thatās a popular type of threat these days, because thereās not a lot of risk. Definitely on the Windows side, we see a lot more actual malware where weāre talking about backdoors and you know, crypto miners, info stealers, that sort of thing. We see a lot more than on Windows than on Mac, but there is this constant undercurrent on the Mac of these more malicious programs. And some of them are associated with APT groups like the North Korean Lazarus group. But others really arenāt as attributable to any particular APT, or other groups. Theyāre just your average malware from some guy somewhere who decided he wanted to get rich on something.
LO: Yeah, no, certainly. And, you know, Iām curious too, for the rest of 2020, what are some of the top trends that you think weāll see in terms of macOS malware, or different threats that are targeting Macs or just any kind of security trends?
TR: Yeah. So weāve kind of continued looking at the data for this year compared to last year and of course, you know, Iām sure things will change. Weāre only halfway through the year at this point, but we have seen some some shifting in which adware and PUPs are at the top of the food chain. But overall weāre still seeing that adware and PUPs are the dominant pieces, the dominant threats on the Mac threat landscape. We do anticipate seeing some further new Mac malware throughout the course of the year. Weāve seen some already, weāve seen some very interesting stuff so far. Iām kind of curious to see whether this EvilQuest malware is going to usher in kind of a new class of malware to the Mac or if it will be a fairly isolated case. Weāll know more about that in you know, another six months.
LO: Definitely and I know EvilQuest too itās something that weāll be keeping our eye on. Is there anything else before we wrap up that you want to mention about EvilQuest, anything that turned your head or you know, making unique from other different types of malware?
**TR:**Yeah, I think the most unique thing here is is not really the way that it does the ransom. You know, it seems like a kind of a failed attempt at ransomware. And weāve seen that before, we mentioned the three pieces of ransomware weād seen in the past, FindZip was one of them, and it was kind of a failure to start with, there was no way for people to get their files decrypted from the malware author. But the the encryption method was so poor that it was fairly trivial to decrypt the files. So seeing something do a bad ransomware attempt on the Mac is nothing new. But seeing it used to cover up other activities is very new and interesting. Thatās something weāve never seen in the history of all Mac malware, that I think is its most unique feature.
LO: Right. Yeah. And there certainly seemed to be a ton of other interesting little aspects of it as well that you had mentioned in your analysis. And I know it has those anti-analysis features, and also the keylogging functionalities too, so I think that itās going to be really kind of interesting to see where that goes in the next few months, as you mentioned before, and you know, what kind of threat this turns out to be for the Mac landscape. So Thomas, thank you again for coming on to the Threatpost podcast to talk about Mac security and malware that youāre seeing.
**TR:**Yeah, no problem.
LO: Once again, this is Lindsey OāDonnell Welch with Thomas Reed over at Malwarebytes. If youāre interested in Mac security threats, or if you have any comments on the trends that weāve discussed today in this podcast, head over to the comments on our Twitter page @Threatpost and send us your thoughts. And to all our listeners have a great rest of the week and catch us next week on the Threatpost podcast.
BEC and enterprise email fraud is surging, but DMARC can help ā if itās done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, āDMARC: 7 Common Business Email Mistakes.ā This technical ābest practicesā session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to registerfor this Threatpost webinar, sponsored by Valimail.
Write a comment
Share this article:
#discussion
iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/15048341/height/360/theme/legacy/thumbnail/yes/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe
traffic.libsyn.com/digitalunderground/Thomas_Reed_-_Mac_Malware_Threats.mp3
twitter.com/threatpost
attendee.gotowebinar.com/register/441045308082589963?source=art
attendee.gotowebinar.com/register/441045308082589963?source=art
resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf
threatpost.com/category/malware-2/
threatpost.com/category/podcasts/
threatpost.com/evilquest-mac-ransomware-keylogger-crypto-wallet-stealing/157034/
threatpost.com/free-mac-based-ransomware-as-a-service-macransom-surfaces/126204/
threatpost.com/keranger-os-x-ransomware-impact-likely-mitigated/116612/
threatpost.com/lazarus-collaborates-trickbots-anchor-project/151000/
threatpost.com/macos-threats-malware-phishing-apt-attacks/148262/
threatpost.com/malicious-google-web-extensions-cryptowallet/154832/
threatpost.com/newly-discovered-malware-targets-unpatched-macos-flaw/145997/
threatpost.com/self-propagating-lucifer-malware-targets-windows-systems/156883/
twitter.com/dineshdina04/status/1277668001538433025