ThiefQuest ransomware is actively targeting macOS users

Still today, many users think that ransomware is a nasty thing targeting Windows-platforms only

ThiefQuest ransomware is actively targeting macOS users
Photo by Michael Geiger / Unsplash

Still today, many users think that ransomware is a nasty thing targeting Windows-platforms only

The reality is slightly different and although the market share of Windows system is still not beatable at all, Mac and Linux systems need to raise their shields in these times. Even the „fortified“ and seemingly „free of viruses“ Mac platform is under siege at the moment: A fact that Bleeping Computer wrote about this week. What has happened and how should these facts make us re-think the level of security we issue to our Macs?

Stay calm, use Brain 2.0

First of all please don’t get freak out (yet) as — although being not common — ransomware has been known to already target the macOS-platform in the past: KeRanger, FileCoder (aka Findzip), and Patcher were just three other examples of malware designed to encrypt Mac-systems. The obvious question is what you can do to prevent your Mac’s file from being decrypted. First of all, there are two hints applying to every system I have worked with so far :

  • Backup early and backup often on an encrypted Time Machine-backup, separated from the source system.
  • Never fetch your software from other sources other than the developer’s website or Apple’s App Store! Especially the last reason was the key that unlocked the door for ThiefQuest.

What does happen?

While the victim’s system gets infected after downloading trojanized installers of popular apps from torrent trackers, the ransomware was first spotted by K7 Lab malware researcher Dinesh Devadoss and analyzed by Malwarebytes’ Director of Mac & Mobile Thomas Reed, Jamf Principal Security Researcher Patrick Wardle, and BleepingComputer’s Lawrence Abrams, who found an interesting twist following the breakout. The unwanted guest is indeed capable of checking whether it is running in a virtualized system or not and features some even more unwanted anti-debug capabilities making it hard to grasp the extents of ThiefQuest in its whole.

Simultaneously it is checking for common security tools like LittleSnitch (which it also cloaks as according to some sources) and antivirus-software like Bitdefender, Kaspersky, Norton or Avast and implements a reverse shell that is used to connect to a Command-and-Control (C2)-server. The malware additionally connects to http://andrewka6.pythonanywhere-dot-com/ret.txt to get the IP address of the C2 server to download further files and send data to. According to Jamf’s Patrick Wardle and considering the impact on the system, „the attacker can maintain full control over an infected host“.


How do you get it?

So how is this ransomware being distributed? You may already have guessed it after reading the second paragraph, but cloaking as official and signed .PKG package of Little Snitch or Ableton is the key to the — so far — locked doors of your macOS system. Simultaneously the turn to be .DMG-packages without the app’s standard-icon so you should be here very careful here at the (very) latest once you prefer to get your (pirated!) software from rather unofficial sources.

Malwarebytes’s Thomas Reed also found that in the case of one of the ThiefQuest samples analyzed, the packages of compressed installer files include the pirated apps’ original installers and uninstallers, together with a malicious patch binary and a post-install script used to launch the installer and launch the malware. ThiefQuest then copies itself into ~/Library/AppQuest/ and creates a launch agent property list at ~/Library/LaunchAgents/ with a „RunAtLoad“-key set to true to automatically get launched whenever the victim logs into the system.

After gaining persistence on the infected device, ThiefQuest launches a configured copy of itself and starts encrypting files appending a „BEBABEDD“-marker at the end. So far it seems to be locking files randomly, generating various issues on the compromised system from encrypting the login keychain to resetting the Dock to the default look and causing Finder freezes. “Once file encryption is complete, it creates a text file named READ_ME_NOW.txt with the ransom instructions,” Patrick Wardle added and it will also display and read a modal prompt using macOS’ text-to-speech feature letting the users know that their documents were encrypted.

Payment or not?

The final result: The victims are asked to pay a 50 US-Dollars ransom in bitcoins within three days to recover their encrypted files and are directed to read a ransom note saved on their desktops. Obviously, the same Bitcoin-address is used for all victims and unlike to some Windows-ransomware-types, there is no E-Mail-address with which you may try to contact the bad guys. Without any kind of contact, the researchers do also assume that the files are rather wiped than unencrypted after paying the (quite low) fee as wipers are usually used as a cover for some other malicious activity.

ThiefQuest encryption message — Picture Credits: Bleeping Computer

Seen from my point of view, no one should pay to prevent those obscure people from benefiting from their inhuman business model — there may be a chance that you’ll get value-for-money but who does certify that there aren’t any traces of a mutating ransomware left behind scheduled to rise again in some weeks? Think about it, often the well-known security companies offer a certain decryption tool some weeks after the breakout!

Instructions how to decrypt your files — Picture Credits: Bleeping Computer

A stepstone for an even more malicious guest?

After the malware was analyzed by BleepingComputer’s Lawrence Abrams the portal believes that the ransomware is simply a decoy for the true purpose of this malware. The real goal seems to be the search for certain file types from the infected computer and the idea of stealing them. When the malware is executed on a Mac, it will execute shell commands that download Python dependencies, Python scripts disguised as GIF files, and then run them, finally thrashing your system in all of its extents. One of those Python-scripts is so dazzled and confused that even the experts at Bleeping Computer weren’t able to get a clue on what it is finally doing.

Strange Python-script— Picture Credits: Bleeping Computer

Any kind of files residing in the specific user folder and ending with the extensions .pdf, .doc, .jpg, .txt, .pages, .pem, .cer, .crt, .php, .py, .h, .m, .hpp, .cpp, .cs, .pl, .p, .p3, .html, .webarchive, .zip, .xsl, .xslx, .docx, .ppt, .pptx, .keynote, .js, .sqlite3, .wallet or .dat are being target an encoded on a base64-level. Additionally, an interesting fact is that the script will not deal with and transfer any files greater than 800KB in size.

What you should do?

Once you have been affected, there are many ways to react. First of all, an actual backup serves great. Once you may have the unwanted guest on your systems, there may be a way to get rid of it by certain security software. Malwarebytes, for example, detects ThiefQuest as „Ransom.OSX.ThiefQuest“ and removes it from the affected system. Other security solutions may do so as well (filing it under a different name) but the best protection is definitely not to push the natural protection of your macOS-system over the edge and handle it with care and a certain kind of precaution.


Don’t leech your software from unknown or obscure sources and get it from the developer’s website or the Apple Store instead. And — did I already mention it? — have. An. Effective. And. Actual. Backup! You may need to restore your system to a state that is free of ThiefQuest!

Updated News

In the meantime, Apple has updated its macOS-integrated malware protection named XProtect with new patterns in v2125 and is now able to detect the uninvited guest entitled as “MACOS.6cb9746”.

In addition, Sentinel Labs was able to decrypt the encryption routine which is referred to as being a rather weak one. Although you may find the command line tool at GitHub, it is recommended to restore from a clean backup once the ransomware hit your system. The encryption of user files itself may still be just a door opener for fetching as many user data as possible, logging all keystrokes and settling down deeper into macOS, security analysts think so far. Be careful!