ThiefQuest aka EvilQuest malware author removes ransomware strains from the Apple Mac malware after security researchers release a decryptor
We had written about the new EvilQuest aka ThiefQuest ransomware infecting macOS run MacBooks and Mac PCs. A few days after the EvilQuest ransomware infections among the Mac users started, security researchers at SentinelOne released a free decrypting tool online. The decrypting tool allowed Apple Mac users infected with EvilQuest/ThiefQuest ransomware to decrypt their files and avoid paying a ransom to the malware creators.
The SentinelOne decryptor tool also meant the effective end of EvilQuest/ThiefQuest ransomware infections but Trend Micro security researchers note that the malware continues to infect Apple Mac PC/laptops albeit without the ransomware strain.
Researchers at Trend Micro have analyzed several samples of the latest infections of Mac malware and noticed many changes for the earlier versions. For one, now the new version of ThiefQuest doesn’t have the ransomware capability. Trend Micro researchers found that the ThiefQuest malware no longer includes the file encryption functionality and the malware no longer drops a ransom note.
The latest Mac malware sample analyzed by Trend Micro is said to be the 4th gen version of ThiefQuest/EvilQuest ransomware. The first variant which was noticed in early June focussed on creating a backdoor on macOS run PC/MacBook. However, the second and third generations had ransomware capabilities.
Trend Micro researchers believe that the malware authors are working on another set of encryption to beat the SentinelOne’s decryptor. They noticed that the latest version of ThiefQuest had features to run images and sound files using the default macOS applications. The researchers believe that the future version of the ransomware could play the ransom note on video or use speech features in macOS to read it out to the victim.
Trend Micro researchers also noted a different set of IP addresses for the Command and control server, and changes in file names and server subdomain names. The latest variant could also detect if it was being run in sandbox environment and stop itself from executing.