EvilQuest: Inside A ‘New Class’ of Mac Malware


Mac expert Thomas Reed discusses how EvilQuest is ushering in a new class of Mac malware.

The new malware sample discovered this week, dubbed EvilQuest by security researchers, may be ushering in a new class of Mac malware, according to Thomas Reed, director of Mac and mobile with Malwarebytes.

While EvilQuest pretends to be ransomware, in the background it’s actually using its ransomware functionalities as a front for exfiltrating large amounts of data, Reed said – the first type of Mac malware that he has seen doing so. EvilQuest also features the ability to deploy a keylogger (for monitoring what’s typed into devices) and the capability to steal cryptocurrency wallets on the victims’ systems.

Overall, the new malware sample points to a rapidly evolving Mac landscape. In fact, for the first time ever, in 2019 researchers found that Macs had outpaced Windows PCs in the number of threats that were detected per endpoint. Reed discusses EvilQuest and other Mac threats in this week’s Threatpost podcast.

Listen below, or download direct here.

Below find a lightly edited transcript of the podcast.

Lindsey O’Donnell Welch: Hi, everyone, welcome back to the Threatpost podcast. You’ve got your host, Lindsey O’Donnell Welch here today with Threatpost. And we’re chatting today about Mac threats and one particular Mac targeting malware that was discovered just this week. So I’m joined today by Thomas Reed, who is the director of Mac and mobile with Malwarebytes, who is an expert in all things Mac and mobile security related. Thomas, thanks so much for joining me today.

Thomas Reed: Yeah, thank you for having me.

LO: So I’m sure that you have a lot going on on your end… but there’s really a lot of things we can talk about today, I feel like there’s so much going on.

TR: Yeah, it’s been really busy the last couple of days especially.

LO: I feel like we should start by addressing the more pressing news that has broken this week. And that is a new malware sample that is targeted toward Mac users, and that’s called EvilQuest. So I’m kind of interested in the analysis part of this, Thomas, because this malware sample was tweeted out on Monday by security researcher Dinesh Devadoss and basically within 24 hours, a bunch of Mac security experts, including yourself, including Patrick Wardle and others, had published analyses on this new malware and so I want to talk a little bit about the malware sample, but I also wanted to ask you a little bit about what goes into analyses when you’re looking at you know, newly discovered Mac malware samples or families like this one, like what are  some of the first things you look for?

TR: Yeah, so one of the first things that I’m interested in finding out is, you know, what artifacts does the malware drop on the system when it runs? So for me, one of the first things that I will typically do is I will load up the malware on a test machine and run it and see what happens, see what it does, see what files it creates, what kind of network connections it makes, all that stuff. So basically doing a live test run so to speak and and just see what happens. And so, that’s usually the first thing that I will do and certainly, EvilQuest was no different. And then, after I’ve learned what I can from that, then I will go in and look into things like what is it actually doing that maybe I didn’t observe, things like, you know, what kind of code is there in the program, code that’s in some of the files that it drops and that sort of thing. And that’s how we reveal a little bit more of the full capabilities that may not always show up when you’re when you’re just running it and testing it.

LO: Right. Yeah, absolutely. And I know for EvilQuest, can you talk me through kind of what you discovered in terms of some of the capabilities that this malware has? I know, you know, there’s a lot of focus on the ransomware aspect of it, but it sounds like there’s also a couple of other functionalities that it has in terms of, you know, sniffing out crypto-wallets on the system, in terms of data exfiltration. So can you walk us through some of those?

TR: Yeah, absolutely. So from the start, we knew that this was ransomware, because we had, actually, before that original tweet there, I had gotten some information from somebody about a post on a Russian torrent forum where people had downloaded an installer, and it turned out to be loaded with ransomware. And they were getting ransomware messages, like the the ransom notes and that sort of thing. So I knew it was ransomware from the start, but when I ran it live on a system, I was having a lot of trouble getting it to actually encrypt anything. I wasn’t getting a ransom note or anything like that.

So it was a little bit frustrating because it wasn’t behaving the way that I knew that it was supposed to behave. So I did figure out what files that it dropped on the system. Although that initial list was a little incomplete because it didn’t drop everything that it did for some other people and for me on later installs. So right from the start, it seemed a little bit inconsistent, like maybe it was a little buggy or maybe somehow it had decided that I was running it in a suspicious environment, I don’t know. But so I went straight into the static analysis, looking at the code. And interestingly, the code, the compiled code had all the function names right there. So you could actually read through and see what all the functions were and what they were supposed to do, you know, so you could see there were functions for, you know, persistence, functions for encrypting and decrypting you know, and a number of other things. So you could see kind of a map of all the functionality laid out right there for you. So that was a nice little bonus, you don’t always get that with malware.

And so from the start, we thought it was ransomware. And that kind of where all the initial analysis landed. Interestingly, as we’ve done further research into this, it looks like the ransom may not be real, it may be sort of a cover for other activities. We’ve – and I worked a little with Lawrence Abrams at BleepingComputer on some of this – and he had some very interesting revelations from his experience with Windows ransomware. So one of the interesting things to note is that the ransomware notes that were left on the computers, after comparing them from different computers, they all used exactly the same Bitcoin address. So there’s no way for the folks behind it to verify that that a particular individual paid. And then on top of that, there’s not an email address given anywhere. So you wouldn’t have any way to contact the people behind this to get your decryption key after you paid. So that’s highly suspicious. That’s very, very weird. That’s not what you would typically see for real ransomware.

LO: Right. Those are certainly red flags.

TR: Yeah, yeah. And then I was also doing some network analysis, seeing what kind of network transactions were going on. And I fired it up and was monitoring everything. And I was seeing hundreds of connection attempts to their command and control server. And when I dug into them, every single one of those connection attempts include two pieces of information, one was a file path to a file on my my test system and the second was a base-64 encoded string containing the contents of that file. So it was exfiltrating a huge amount of data. And there was a Python file that was hidden on the system that we found that was responsible for sending all that data. And you could you could look and see it had a whole list of file extensions that it was looking for. So it wasn’t exfiltrating everything but anything that matched certain file extensions that was in the user’s folder.

LO: That’s really interesting. Have you seen that method before of kind of ransomware being used as a cover for data exfiltration or other malicious activities in the background?

TR: Not on the Mac. No. And so I kind of feel like you know, being Mac researchers, that folks like me we were a little bit handicapped because we don’t have this this history of experience with ransomware that Windows researchers do. We’ve only ever actually seen three ransomware pieces of malware on the Mac, and they all dated back to around 2016, early 2017. And all of them are extinct at this point. None of them were particularly successful. They didn’t last very long and and we just don’t see them anymore.

LO:  Am I correct in saying those three were KeRanger, FindZip and MacRansom?

TR: That’s correct. I think I have never seen a copy of MacRansom detected on any end user system.

LO: Yeah, I’m curious why is ransomware so rare that targets Mac users? I mean, is it because of the users of Mac, is it the Macs themselves are difficult to deploy this ransomware against or what’s behind that?

TR: Honestly, I think that Mac users are kind of a ripe target for malware, because as I mentioned earlier there there are still are so many that believe that Macs are invulnerable to viruses, to malware. I think that Mac users are a particularly prone target. I think the main reason why we haven’t been targeted with ransomware as much, historically, is just because it’s a smaller market share. So if you’re doing ransomware, that’s meant to just scatter widely and infect as many people as possible you’re going to have more targets on Windows than you are on Mac. So if you spend your time developing on the Mac, you have less targets and thus you’ll make less money from your ransomware. So I think that’s really all there is to it. I do think that as Mac market share grows, we will have an increasingly likely risk of ransomware. But at the same time, Apple has done some things that can help mitigate some of those risks. So for example, when I ran this EvilQuest on a recent MacOS system, on one running 10.15. So MacOS Catalina, it required, it asked for a lot of permissions. So I saw this weirdly named process keep asking me for access to my documents, my desktop, my contacts, my calendars, etc, etc. And so that’s a big red flag. If you’re an end user, and all of a sudden, something you don’t recognize is asking for all those permissions. You may say no, and that’s kind of a barrier that may get in the way of future ransomware.

LO: Right. That’s a really good point. And to your point earlier, I do think that there has been this historic view that Macs are immune from from all types of malware. And you know, clearly that’s not the case anymore. I mean, we can see that in this instance. And we can see that with other types of malware that have emerged. And I know that you released a 2020 State of Malware report earlier this year, where you found that, for the first time ever, Macs had outpaced Windows PCs in the number of threats that were detected per endpoint. And the report also saw a significant rise in the overall prevalence of Mac threats that were seeing in 2019. And I think you guys said it was like a 400 percent increase from 2018. So, you know, I’m sure part of that is due to kind of an increase in Mac endpoints themselves, but why do you think that you’re seeing this upward surge from a threat landscape perspective?

TR: Yeah, well I think part of it is just because the number of Mac users out there is growing, the Mac market share is expanding. Now is kind of a time where where PC sales have kind of slumped a lot of people are more interested in mobile, but the Mac market share still is managing to, to hold its ground or even grow. So that’s part of it, I’m sure. The other part of it, I believe, is that there’s this perception and it may or may not be valid in all cases. But the perception is that in general Mac users are a juicier target. And there’s potentially some validity to that. I mean, you can get a cheap Windows PC for a few hundred dollars, but there is not a Mac, anywhere, unless maybe you’re talking about a used Mac on eBay from 10 years ago, that would cost you that little. So, there may be some truth to that perception. And that may mean that, for stuff like this particular malware that does data exfiltration, there may be some very juicy data on your your Mac versus on a Windows machine, you know, if it’s a Mac that’s owned by a an executive, or someone else who is highly placed in a company, then that’s very juicy data to have.

LO: You’ve definitely been covering Mac’s for a while now. What are some of the top threads that have only recently emerged that are facing Mac users specifically in 2020?

TR:mWell, yeah there hasn’t been a lot of new classes of threats in 2020. I would say that this EvilQuest is probably the first new class of malware that we’ve seen in a very long time. You know, this is something a little bit different than ransomware. And it’s something that really has been typically only seen on Windows not on Mac. But beyond that, it’s mostly just been new variants of the same old thing. So new variants of things like backdoors, keyloggers, commercial spyware, adware, PUPs, all these different categories, those basic classes haven’t really changed on the Mac very recently.

LO: Right, in the report you had mentioned that the most prevalent types of threats for 2019 include adware and then also PUPs or potentially unwanted programs. And you know, adware seems to be big across mobile overall, by the way, but is it something that is kind of distributed evenly between Macs and Windows? Or is it kind of one versus the other? What are you seeing there in terms of where that’s being targeted?

TR: Yeah, we definitely see a lot of adware and PUP threats on the windows side as well. It’s a very large portion of the threat landscape on on all platforms. You know, especially PUPs, the potentially unwanted programs. Those are things that they’re kind of on the border, but just a little, they’re trying not to cross the line over to being actual malware. And so those are things that are can stay around and stay in business for years without any legal threats. They don’t have to worry about being taken off to jail or anything like that. And without being detected by a lot of antivirus programs. So that’s a popular type of threat these days, because there’s not a lot of risk. Definitely on the Windows side, we see a lot more actual malware where we’re talking about backdoors and you know, crypto miners, info stealers, that sort of thing. We see a lot more than on Windows than on Mac, but there is this constant undercurrent on the Mac of these more malicious programs. And some of them are associated with APT groups like the North Korean Lazarus group. But others really aren’t as attributable to any particular APT, or other groups. They’re just your average malware from some guy somewhere who decided he wanted to get rich on something.

LO: Yeah, no, certainly. And, you know, I’m curious too, for the rest of 2020, what are some of the top trends that you think we’ll see in terms of macOS malware, or different threats that are targeting Macs or just any kind of security trends?

TR: Yeah. So we’ve kind of continued looking at the data for this year compared to last year and of course, you know, I’m sure things will change. We’re only halfway through the year at this point, but we have seen some some shifting in which adware and PUPs are at the top of the food chain. But overall we’re still seeing that adware and PUPs are the dominant pieces, the dominant threats on the Mac threat landscape. We do anticipate seeing some further new Mac malware throughout the course of the year. We’ve seen some already, we’ve seen some very interesting stuff so far. I’m kind of curious to see whether this EvilQuest malware is going to usher in kind of a new class of malware to the Mac or if it will be a fairly isolated case. We’ll know more about that in you know, another six months.

LO: Definitely and I know EvilQuest too it’s something that we’ll be keeping our eye on. Is there anything else before we wrap up that you want to mention about EvilQuest, anything that turned your head or you know, making unique from other different types of malware?

TR: Yeah, I think the most unique thing here is is not really the way that it does the ransom. You know, it seems like a kind of a failed attempt at ransomware. And we’ve seen that before, we mentioned the three pieces of ransomware we’d seen in the past, FindZip was one of them, and it was kind of a failure to start with, there was no way for people to get their files decrypted from the malware author. But the the encryption method was so poor that it was fairly trivial to decrypt the files. So seeing something do a bad ransomware attempt on the Mac is nothing new. But seeing it used to cover up other activities is very new and interesting. That’s something we’ve never seen in the history of all Mac malware, that I think is its most unique feature.

LO: Right. Yeah. And there certainly seemed to be a ton of other interesting little aspects of it as well that you had mentioned in your analysis. And I know it has those anti-analysis features, and also the keylogging functionalities too, so I think that it’s going to be really kind of interesting to see where that goes in the next few months, as you mentioned before, and you know, what kind of threat this turns out to be for the Mac landscape. So Thomas, thank you again for coming on to the Threatpost podcast to talk about Mac security and malware that you’re seeing.

TR: Yeah, no problem.

LO: Once again, this is Lindsey O’Donnell Welch with Thomas Reed over at Malwarebytes. If you’re interested in Mac security threats, or if you have any comments on the trends that we’ve discussed today in this podcast, head over to the comments on our Twitter page @Threatpost and send us your thoughts. And to all our listeners have a great rest of the week and catch us next week on the Threatpost podcast.

BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to registerfor this Threatpost webinar, sponsored by Valimail.

Suggested articles

The State of Secrets Sprawl – Podcast

In this podcast, we dive into the 2022 edition of the State of Secrets Sprawl report with Mackenzie Jackson, developer advocate at GitGuardian. We talk issues that corporations face with public leaks from groups like Lapsus and more, as well as ways for developers to keep their code safe.