ThiefQuest is a virus, data stealer, and wiper that presents itself as ransomware targeting macOS systems. ThiefQuest was first seen in 2020 distributed via trojanized pirated versions of popular macOS software on Russian forums sharing torrent links. Even though ThiefQuest presents itself as ransomware, since the dynamically generated encryption key is never sent to the attacker it may be more appropriately thought of as a form of wiper malware.
Associated Software Descriptions
|Enterprise||T1071||.001||Application Layer Protocol: Web Protocols|
|Enterprise||T1059||.002||Command and Scripting Interpreter: AppleScript|
|Enterprise||T1554||Compromise Client Software Binary||
ThiefQuest searches through the
|Enterprise||T1543||.001||Create or Modify System Process: Launch Agent||
ThiefQuest installs a launch item using an embedded encrypted launch agent property list template. The plist file is installed in the
|.004||Create or Modify System Process: Launch Daemon||
When running with root privileges after a Launch Agent is installed, ThiefQuest installs a plist file to the
|Enterprise||T1486||Data Encrypted for Impact|
|Enterprise||T1041||Exfiltration Over C2 Channel||
ThiefQuest exfiltrates targeted file extensions in the
|Enterprise||T1564||.001||Hide Artifacts: Hidden Files and Directories|
|Enterprise||T1562||.001||Impair Defenses: Disable or Modify Tools|
|Enterprise||T1056||.001||Input Capture: Keylogging|
|Enterprise||T1036||.005||Masquerading: Match Legitimate Name or Location|
|Enterprise||T1518||.001||Software Discovery: Security Software Discovery||
ThiefQuest uses the
|Enterprise||T1497||.001||Virtualization/Sandbox Evasion: System Checks||
ThiefQuest uses a function named
|.003||Virtualization/Sandbox Evasion: Time Based Evasion||
- Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 18, 2021.
- Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021.
- Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 22, 2021.
- Phil Stokes. (2020, July 8). “EvilQuest” Rolls Ransomware, Spyware & Data Theft Into One. Retrieved April 1, 2021.
- Patrick Wardle. (2020, June 29). OSX.EvilQuest Uncovered part i: infection, persistence, and more!. Retrieved March 18, 2021.
- Gabrielle Joyce Mabutas, Luis Magisa, Steven Du. (2020, July 17). Updates on Quickly-Evolving ThiefQuest macOS Malware. Retrieved April 26, 2021.