1. Home
  2. Software
  3. ThiefQuest

ThiefQuest

ThiefQuest is a virus, data stealer, and wiper that presents itself as ransomware targeting macOS systems. ThiefQuest was first seen in 2020 distributed via trojanized pirated versions of popular macOS software on Russian forums sharing torrent links.[1] Even though ThiefQuest presents itself as ransomware, since the dynamically generated encryption key is never sent to the attacker it may be more appropriately thought of as a form of wiper malware.[2][3]

ID: S0595
Associated Software: MacRansom.K, EvilQuest
Type: MALWARE
Platforms: macOS
Version: 1.2
Created: 19 March 2021
Last Modified: 16 April 2022

Associated Software Descriptions

Name Description
MacRansom.K

[4]
EvilQuest

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1554 主机软件二进制文件妥协

ThiefQuest searches through the /Users/ folder looking for executable files. For each executable, ThiefQuest prepends a copy of itself to the beginning of the file. When the file is executed, the ThiefQuest code is executed first. ThiefQuest creates a hidden file, copies the original target executable to the file, then executes the new hidden file to maintain the appearance of normal behavior. [2][3]
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

ThiefQuest prepends a copy of itself to the beginning of an executable file while maintaining the name of the executable.[2][3]
Enterprise T1543 .001 创建或修改系统进程: Launch Agent

ThiefQuest installs a launch item using an embedded encrypted launch agent property list template. The plist file is installed in the ~/Library/LaunchAgents/ folder and configured with the path to the persistent binary located in the ~/Library/ folder.[5]
.004 创建或修改系统进程: Launch Daemon

When running with root privileges after a Launch Agent is installed, ThiefQuest installs a plist file to the /Library/LaunchDaemons/ folder with the RunAtLoad key set to true establishing persistence as a Launch Daemon. [5]
Enterprise T1620 反射性代码加载

ThiefQuest uses various API functions such as NSCreateObjectFileImageFromMemory to load and link in-memory payloads.[2]
Enterprise T1059 .002 命令与脚本解释器: AppleScript

ThiefQuest uses AppleScript's osascript -e command to launch ThiefQuest's persistence via Launch Agent and Launch Daemon. [5]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

ThiefQuest uses the function kill_unwanted to obtain a list of running processes and kills each process matching a list of security related processes.[5]
Enterprise T1071 .001 应用层协议: Web Protocols

ThiefQuest uploads files via unencrypted HTTP. [2][3]
Enterprise T1486 数据加密以实现影响

ThiefQuest encrypts a set of file extensions on a host, deletes the original files, and provides a ransom note with no contact information.[2]
Enterprise T1106 本机API

ThiefQuest uses various API to perform behaviors such as executing payloads and performing local enumeration.[2]
Enterprise T1497 .003 虚拟化/沙盒规避: Time Based Evasion

ThiefQuest invokes time call to check the system's time, executes a sleep command, invokes a second time call, and then compares the time difference between the two time calls and the amount of time the system slept to identify the sandbox.[5]
Enterprise T1622 调试器规避

ThiefQuest uses a function named is_debugging to perform anti-debugging logic. The function invokes sysctl checking the returned value of P_TRACED. ThiefQuest also calls ptrace with the PTRACE_DENY_ATTACH flag to prevent debugging.[2]
Enterprise T1518 .001 软件发现: Security Software Discovery

ThiefQuest uses the kill_unwanted function to get a list of running processes, compares each process with an encrypted list of "unwanted" security related programs, and kills the processes for security related programs.[5]
Enterprise T1105 输入工具传输

ThiefQuest can download and execute payloads in-memory or from disk.[2]
Enterprise T1056 .001 输入捕获: Keylogging

ThiefQuest uses the CGEventTap functions to perform keylogging.[6]
Enterprise T1057 进程发现

ThiefQuest obtains a list of running processes using the function kill_unwanted.[5]
Enterprise T1041 通过C2信道渗出

ThiefQuest exfiltrates targeted file extensions in the /Users/ folder to the command and control server via unencrypted HTTP. Network packets contain a string with two pieces of information: a file path and the contents of the file in a base64 encoded string.[2][3]
Enterprise T1564 .001 隐藏伪装: Hidden Files and Directories

ThiefQuest hides a copy of itself in the user's ~/Library directory by using a . at the beginning of the file name followed by 9 random characters.[5]

References

  1. Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 18, 2021.
  2. Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021.
  3. Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 22, 2021.
  1. Phil Stokes. (2020, July 8). “EvilQuest” Rolls Ransomware, Spyware & Data Theft Into One. Retrieved April 1, 2021.
  2. Patrick Wardle. (2020, June 29). OSX.EvilQuest Uncovered part i: infection, persistence, and more!. Retrieved March 18, 2021.
  3. Gabrielle Joyce Mabutas, Luis Magisa, Steven Du. (2020, July 17). Updates on Quickly-Evolving ThiefQuest macOS Malware. Retrieved April 26, 2021.