Do you think your Mac laptop is bulletproof for malware? Unfortunately, many Mac owners believe in this delusion. Throughout much less malware exists for Mac than for Windows, Apple production can be vulnerable too. Recent research has found a new kind of ransomware especially created to attack Mac computers. Actually, it’s much more dangerous than just ransomware. In reality, it’s a multipurpose weapon made to steal, spy and encrypt/destroy data on Macs. It’s named ThiefQuest.

How it harms

Sure enough, like any ransomware, ThiefQuest encrypts files on the infected laptops depriving users from access to their data. But in addition to that, it has a bunch of other malicious capabilities. Among the most dangerous of them is the ability to steal files and send them to attackers’ servers before encrypting. More of that, ThiefQuest looks through the system files in search of passwords, cryptocurrency wallets and other financial information.

But that’s not all. ThiefQuest includes a keylogger that intercepts keystrokes to steal value information like credentials and bank card numbers while the victim is typing. And even more, the cunning malware installs a backdoor into the victim’s machine thus making it persistently infected and bringing it under constant control of the attackers. That gives us the right to call ThiefQuest a multipurpose malware that includes various methods of harming victims’ computers — a tool to spy and demand a ransom.

Interesting, that this combination looks rather strange because those purposes are rarely seen in one piece of malware, and there is a solid reason for that. Spyware and backdoors usually aimed at hiding themselves as long and much as possible, because they are supposed to work covertly. Unlikely, ransomware is aimed to claim its presence right after encrypting the files on the victim’s machine to extort ransom.

Another weird thing about the ThiefQuest is that it has typical for ransomware ransom note but did not include an email address or other attackers’ contact for victims to get a key to decrypt files. It has only a bitcoin address in its random note. So, even if we imagine that the victim pays a ransom, how will she be able to get the decryption key while there is no channel for that?

In fact, it looks like an effort to impersonate ransomware, as it was with malware used in the infamous “NonPetya” attack in 2016. When the ransomware encrypts files without supposing a possibility to decrypt them, it should be rather considered as destroying malware or cyber weapon.

But be it a ransomware, spyware or cyber weapon in the first turn, ThiefQuest can cause a big mess to anyone who has tough luck to catch it.

How it spreads

For the moment, ThiefQuest is disseminated via torrents in bundles with pirated software, disguising itself as programs with useful-like names, for example, “Google Software Update”. It does not run automatically but needs a user’s action to run the malicious file and infect a computer.

How to protect from ThiefQuest

Fortunately, the infecting process of this malware is not as sophisticated as malware itself. Firstly, it attacks –at least, for the moment -only those who download and use pirated software. Secondly, its installation process causes a lot of warnings from the Mac OS system. So, to successfully install it a user must persistently ignore all these warnings.

This sounds soothing, but in reality there is no reason to think the situation won’t change in the nearest future. Attacking Macs is an enormously attractive idea for cybercriminals, so an updated version of ThiefQuest may appear soon as well as new, wider methods of its propagation. So, as always, vigilance is essential.

Be informed and live secure with DIESEC!