Mac users are now exposed to a new “ThiefQuest” ransomware that encrypts files and causes multiple issues with the operating system. Malwarebytes has analyzed the ransomware today, which is being distributed through macOS pirate apps.
The malicious code was first found in a pirate copy of the Little Snitch app available on a Russian forum with torrent links. The downloaded app comes with a PKG installer file, unlike its original version.
By examining this PKG file, Malwarebytes discovered that the app comes with a “postinstall script,” which is typically used to clean up the installation after the process is completed. In this case, however, the script implements malware in macOS.
The script file is copied to a folder related to the Little Snitch app under the name CrashReporter, so the user won’t notice it running in the Activity Monitor since macOS has an internal app with a similar name. The set location is: /Library/LittleSnitchd/CrashReporter.
Malwarebytes notes that it takes some time before the ransomware starts working after it’s installed, so the user won’t associate it with the latest app installed. Once the malicious code is activated, it modifies the system and user files with unknown encryption.
Part of the encryption causes the Finder not to work properly and the system crashes constantly. Even the system’s Keychain gets corrupted, so it’s impossible to access passwords and certificates saved on the Mac. A message on the screen says the user must pay $50 to recover its files, otherwise everything will be deleted after three days.
There’s still no way to get rid of malware after it has encrypted the files without formatting the entire disk, so users should keep an updated backup of everything.
Although the ransomware is only included with pirated apps for now, Apple must fix this security flaw as quickly as possible since this malicious code can be included in more apps distributed outside the App Store.
You can read more technical details about ThiefQuest on Malwarebytes’ website.
Update: The original name for the malware, EvilQuest, has been changed due to a legitimate game of the same name from 2012. The new name is ThiefQuest.