Monday, April 19, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

New EvilQuest ransomware discovered targeting macOS users

July 1, 2020
in Internet Security
New EvilQuest ransomware discovered targeting macOS users
587
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Security researchers have discovered this week a new ransomware strain targeting macOS users.

Named OSX.EvilQuest, this ransomware is different from previous macOS ransomware threats because besides encrypting the victim’s files, EvilQuest also installs a keylogger, a reverse shell, and steals cryptocurrency wallet-related files from infected hosts.

You might also like

WordPress could treat Google FloC as a security issue

Security crucial as 5G connects more industries, devices

Google releases Chrome 90 with HTTPS by default and security fixes

“Armed with these capabilities, the attacker can main full control over an infected host,” said Patrick Wardle, Principal Security Researcher at Jamf. This means that even if victims paid, the attacker would still have access to their computer and continue to steal files and keyboard strokes.

Wardle is currently one of the many macOS security researchers who are analyzing this new threat.

Others who are also investigating EvilQuest include Thomas Reed, Director of Mac & Mobile at Malwarebytes, and Phil Stokes, macOS security researcher at SentinelOne.

Reed and Stokes are currently looking for a weakness or bug in the ransomware’s encryption scheme that could be exploited to create a decryptor and help infected victims recover their files without paying the ransom.

EvilQuest is distributed via pirated software

But the researcher who first spotted the new EvilQuest ransomware is K7 Lab security researcher Dinesh Devadoss.

Devadoss tweeted about his finding yesterday, June 29. However, new evidence surfaced in the meantime has revealed that EvilQuest has been, in reality, distributed in the wild since the start of June 2020.

Reed told ZDNet in a phone call today that Malwarebytes has found EvilQuest hidden inside pirated macOS software uploaded on torrent portals and online forums.

Devadoos has spotted EvilQuest hidden in a software package called Google Software Update, Wardle has found samples of EvilQuest inside a pirated version of popular DJ software Mixed In Key, and Reed has spotted it hidden inside the macOS security tool called Little Snitch.

Russian forum spreading pirated macOS app infected with OSX.EvilQuest


Image: ZDNet via Malwarebytes

However, Reed told us he believes the ransomware is most likely more broadly distributed, leveraging many more other apps, and not just these three.

Wardle, who published an in-depth technical analysis of EvilQuest earlier today, said the malware is pretty straightforward, as it moves to encrypt the user’s files as soon as it’s executed.

Once the file encryption scheme ends, a popup is shown to the user, letting the victim know they’ve been infected and their files encrypted.

evilquest-popup.png

Image: Dinesh Devadoss

The victim is directed to open a ransom note in the form of a text file that has been placed on their desktop, which looks like the one below:

evilquest-ransom-note.png

Image: Patrick Wardle

Stokes told ZDNet the ransomware will encrypt any files with the following file extensions:

.pdf, .doc, .jpg, .txt, .pages, .pem, .cer, .crt, .php, .py, .h, .m, .hpp, .cpp, .cs, .pl, .p, .p3, .html, .webarchive, .zip, .xsl, .xslx, .docx, .ppt, .pptx, .keynote, .js, .sqlite3, .wallet, .dat

After the encryption process ends, the ransomware installs a keylogger to record all the user’s keystrokes, a reverse shell so the attacker can connect to the infected host and run custom commands, and will also look to steal the following types of files, usually employed by cryptocurrency wallet applications.

  • “wallet.pdf”
  • “wallet.png”
  • “key.png”
  • “*.p12”

In his own analysis of EvilQuest, Reed also noted that the ransomware also attempts to modify files specific to Google Chrome’s update mechanism, and use the files as a form of persistence on infected hosts.

“These [Chrome update] files had the content of the patch file prepended to them, which of course would mean that the malicious code would run when any of these files is executed,” Reed said. “However, Chrome will see that the files have been modified, and will replace the modified files with clean copies as soon as it runs, so it’s unclear what the purpose here is.”

Wardle, who has created several open-source macOS security tools, said that a tool he released in 2016, named RansomWhere, can detect and stop EvilQuest from running. Reed also said that Malwarebytes for Mac was also updated to detect and stop this ransomware before it does any damage.

EvilQuest is the third ransomware strain that has exclusively targeted macOS users after KeRanger and Patcher. Another macOS ransomware strain called Mabouia only existed at a theoretical level and was never released in the real world.


Credit: Zdnet

Previous Post

Use This Definitive RFP Template to Effectively Evaluate XDR solutions

Next Post

Can CodeGuru Improve Your Code with Machine Learning?

Related Posts

WordPress could treat Google FloC as a security issue
Internet Security

WordPress could treat Google FloC as a security issue

April 19, 2021
Security crucial as 5G connects more industries, devices
Internet Security

Security crucial as 5G connects more industries, devices

April 17, 2021
Google releases Chrome 90 with HTTPS by default and security fixes
Internet Security

Google releases Chrome 90 with HTTPS by default and security fixes

April 17, 2021
SolarWinds cybersecurity spending tops $3 million in Q4, sees $20 million to $25 million in 2021
Internet Security

SolarWinds: US and UK blame Russian intelligence service hackers for major cyberattack

April 17, 2021
Google Project Zero testing 30-day grace period on bug details to boost user patching
Internet Security

Google Project Zero testing 30-day grace period on bug details to boost user patching

April 17, 2021
Next Post
Can CodeGuru Improve Your Code with Machine Learning?

Can CodeGuru Improve Your Code with Machine Learning?

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

WordPress could treat Google FloC as a security issue
Internet Security

WordPress could treat Google FloC as a security issue

April 19, 2021
Machine Learning market valuation to surge at 33.8% CAGR through 2025
Machine Learning

Machine Learning market valuation to surge at 33.8% CAGR through 2025

April 19, 2021
Twitter analysing harmful impacts of its AI, machine learning algorithms
Machine Learning

Twitter analysing harmful impacts of its AI, machine learning algorithms

April 19, 2021
Machine Learning Helps Optimize Therapeutic Antibodies
Machine Learning

Machine Learning Helps Optimize Therapeutic Antibodies

April 18, 2021
Researchers at MIT DAI Lab Have Recently Built Cardea: A Machine Learning Framework That Turns Health Care Data Into Insights
Machine Learning

Researchers at MIT DAI Lab Have Recently Built Cardea: A Machine Learning Framework That Turns Health Care Data Into Insights

April 18, 2021
Automating Drug Discovery With Machine Learning
Machine Learning

Automating Drug Discovery With Machine Learning

April 18, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • WordPress could treat Google FloC as a security issue April 19, 2021
  • Machine Learning market valuation to surge at 33.8% CAGR through 2025 April 19, 2021
  • Twitter analysing harmful impacts of its AI, machine learning algorithms April 19, 2021
  • Machine Learning Helps Optimize Therapeutic Antibodies April 18, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates