Malwarebytes has found a new form of malware targeted at Mac users. The malware, called ThiefQuest, is being distributed as part of an infected torrent update sent to the would-be victims.
Downloading pirated software is never a good idea but people do. Since the source from which you download it can not automatically be trusted, and some modifications may be made which would conceal malicious files within the installation.
Malwarebytes has analyzed the ransomware, which was first found hidden in a legitimate-looking software that supports the macOS application firewall based on the Little Snitch host.
The malicious installer has been found available for download on a torrent-linked Russian website. Subsequently it was also found in the electronic music application installer Mixed In Key 8 and Ableton Liv.
Analyzing the installer, Malwarebytes researchers discovered that it is not just malware but also fresh ransomware. When testing the installer it was found that an executable file called “fix” will be installed in the directory “/users / shared/.”
The patch moved quickly to a different location after running the script, and renamed itself “CrashReporter,” which is a known macOS process. In there, many other places are inserted into the patch itself.
The team noticed that some apps were starting to malfunction, but the ransomware mainly encrypts keychain files and other files of data. Afterwards, the users are asked to pay $50 to access the files.
ThiefQuest requests $50 in Bitcoin to decrypt the files but even if the attackers decrypt the files on ransom receipt, they maintain the ability to access the victim’s credentials and data via the other malware installed along with the ransomware.
There’s actually no details on the nature of a decryption key, according to Malwarebytes. Researchers are also researching what ThiefQuest encryption uses to encrypt the files of their victims, and how they can break it.