Fwd: Virus Alert : ThiefQuest Ransomware

Virus Type: Ransomware

It has been reported that a new MacOS ransomware, named "ThiefQuest

ransomware" or "EvilQuest ransomware" is spreading since June 2020. This

ransomware not only encrypts the files on the system but also installs a

keylogger, remote shell and steals cryptocurrency wallet-related files from

infected hosts. Even after ransom has been paid by the victim, the attacker

continue to have access to the computer and can exfiltrate files and

keystrokes. So, the attackers can carry on spying the victims. 

Infection mechanism: 

This ransomware is distributed via legitimate applications on torrent

websites such as Little Snitch, Ableton, and Mixed in Key. After launching

the installer, ThiefQuest starts encrypting files appending a BEBABEDD

marker at the end. Ransomware will encrypt any files with the following

file extensions of size less than 800 KB: .pdf, .doc, .jpg, .txt, .pages,

.pem, .cer, .crt, .php, .py, .h, .m, .hpp, .cpp, .cs, .pl, .p, .p3, .html,

.webarchive, .zip, .xsl, .xslx, .docx, .ppt, .pptx, .keynote, .js,

.sqlite3, .wallet, .dat

When encryption is completed, it creates a text file named READ_ME_NOW.txt

with the ransom instructions.

Also, the message in Fig.3 does not contain any email address to contact

the hackers for decryptor after the ransom has been paid. This makes it

impossible for attackers to identify victims who have paid ransomware. This

leads to suspicion that ransomware may be used for spying and other

malicious activity. 

ThiefQuest downloads Python scripts disguised as GIFs and then run them. If

a file matches the search criteria, it will base64 encode the file contents

and send it to C&C server. These files include text files, images, Word

documents, SSL certificates, code-signing certificates, source code,

projects, backups, spreadsheets, presentations, databases, and

cryptocurrency wallets. 

Indicators of compromise: 

Websites:

hxxp://andrewka6[d0t]pythonanywhere[d0t]com/ret[d0t]txt

hxxp://167[d0t]71[d0t]237[d0t]219

File locations:

/var/root/.aespot

~/.aespot

~/Library/LaunchAgents/com.apple.abtpd.plist

~/Library/PrivateSync/com.abtpd.questd

~/Library/LaunchDaemons/com.apple.abtpd.plist

~/Library/PrivateSync/com.abtpd.questd

Hashes:

06974e23a3bf303f75c754156f36f57b960f0df79a38407dfdef9a1c55bf8bff

d18daea336889f5d7c8bd16a4d6358ddb315766fa21751db7d41f0839081aee2

c5a77de3f55cacc3dc412e2325637ca7a2c36b1f4d75324be8833465fd1383d3

Countermeasures and Best practices for prevention:

Users are advised to disable their RDP if not in use, if required, it

should be placed behind the firewall and users are to bind with proper

policies while using the RDP.

All operating systems and applications should be kept updated on a regular

basis. Virtual patching can be considered for protecting legacy systems and

networks. This measure hinders cybercriminals from gaining easy access to

any system through vulnerabilities in outdated applications and software.

Avoid applying updates / patches available in any unofficial channel.

Restrict execution of Power shell /WSCRIPT in an enterprise environment.

Ensure installation and use of the latest version of PowerShell, with

enhanced logging enabled. Script block logging and transcription enabled.

Send the associated logs to a centralized log repository for monitoring and

analysis.

ml

Establish a Sender Policy Framework (SPF) for your domain, which is an

email validation system designed to prevent spam by detecting email

spoofing by which most of the ransomware samples successfully reaches the

corporate email boxes.

Application whitelisting/Strict implementation of Software Restriction

Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths.

Ransomware sample drops and executes generally from these locations.

Don't open attachments in unsolicited e-mails, even if they come from

people in your contact list, and never click on a URL contained in an

unsolicited e-mail, even if the link seems benign. In cases of genuine URLs

close out the e-mail and go to the organization's website directly

through browser.

Block the attachments of file types,

exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf

Consider encrypting the confidential data as the ransomware generally

targets common file types.

Perform regular backups of all critical information to limit the impact of

data or system loss and to help expedite the recovery process. Ideally,

this data should be kept on a separate device, and backups should be stored

offline.

Network segmentation and segregation into security zones - help protect

sensitive information and critical services. Separate administrative

network from business processes with physical controls and Virtual Local

Area Networks.

Install ad blockers to combat exploit kits such as Fallout that are

distributed via malicious advertising.

References

ile-stealing-mac-wiper-in-disguise/

- -macos-users/

mware-victims/

ware-spyware-and-data-theft-into-one/