S0595 ThiefQuest
ThiefQuest is a virus, data stealer, and wiper that presents itself as ransomware targeting macOS systems. ThiefQuest was first seen in 2020 distributed via trojanized pirated versions of popular macOS software on Russian forums sharing torrent links.3 Even though ThiefQuest presents itself as ransomware, since the dynamically generated encryption key is never sent to the attacker it may be more appropriately thought of as a form of wiper malware.14
| Item | Value |
|---|---|
| ID | S0595 |
| Associated Names | MacRansom.K, EvilQuest |
| Type | MALWARE |
| Version | 1.2 |
| Created | 19 March 2021 |
| Last Modified | 16 April 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| MacRansom.K | 2 |
| EvilQuest | 3 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | ThiefQuest uploads files via unencrypted HTTP. 14 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.002 | AppleScript | ThiefQuest uses AppleScript‘s osascript -e command to launch ThiefQuest‘s persistence via Launch Agent and Launch Daemon. 5 |
| enterprise | T1554 | Compromise Client Software Binary | ThiefQuest searches through the /Users/ folder looking for executable files. For each executable, ThiefQuest prepends a copy of itself to the beginning of the file. When the file is executed, the ThiefQuest code is executed first. ThiefQuest creates a hidden file, copies the original target executable to the file, then executes the new hidden file to maintain the appearance of normal behavior. 14 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.001 | Launch Agent | ThiefQuest installs a launch item using an embedded encrypted launch agent property list template. The plist file is installed in the ~/Library/LaunchAgents/ folder and configured with the path to the persistent binary located in the ~/Library/ folder.5 |
| enterprise | T1543.004 | Launch Daemon | When running with root privileges after a Launch Agent is installed, ThiefQuest installs a plist file to the /Library/LaunchDaemons/ folder with the RunAtLoad key set to true establishing persistence as a Launch Daemon. 5 |
| enterprise | T1486 | Data Encrypted for Impact | ThiefQuest encrypts a set of file extensions on a host, deletes the original files, and provides a ransom note with no contact information.1 |
| enterprise | T1622 | Debugger Evasion | ThiefQuest uses a function named is_debugging to perform anti-debugging logic. The function invokes sysctl checking the returned value of P_TRACED. ThiefQuest also calls ptrace with the PTRACE_DENY_ATTACH flag to prevent debugging.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | ThiefQuest exfiltrates targeted file extensions in the /Users/ folder to the command and control server via unencrypted HTTP. Network packets contain a string with two pieces of information: a file path and the contents of the file in a base64 encoded string.14 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | ThiefQuest hides a copy of itself in the user’s ~/Library directory by using a . at the beginning of the file name followed by 9 random characters.5 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | ThiefQuest uses the function kill_unwanted to obtain a list of running processes and kills each process matching a list of security related processes.5 |
| enterprise | T1105 | Ingress Tool Transfer | ThiefQuest can download and execute payloads in-memory or from disk.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | ThiefQuest uses the CGEventTap functions to perform keylogging.6 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | ThiefQuest prepends a copy of itself to the beginning of an executable file while maintaining the name of the executable.14 |
| enterprise | T1106 | Native API | ThiefQuest uses various API to perform behaviors such as executing payloads and performing local enumeration.1 |
| enterprise | T1057 | Process Discovery | ThiefQuest obtains a list of running processes using the function kill_unwanted.5 |
| enterprise | T1620 | Reflective Code Loading | ThiefQuest uses various API functions such as NSCreateObjectFileImageFromMemory to load and link in-memory payloads.1 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | ThiefQuest uses the kill_unwanted function to get a list of running processes, compares each process with an encrypted list of “unwanted” security related programs, and kills the processes for security related programs.5 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.003 | Time Based Evasion | ThiefQuest invokes time call to check the system’s time, executes a sleep command, invokes a second time call, and then compares the time difference between the two time calls and the amount of time the system slept to identify the sandbox.5 |
References
-
Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021. ↩↩↩↩↩↩↩↩↩↩
-
Phil Stokes. (2020, July 8). “EvilQuest” Rolls Ransomware, Spyware & Data Theft Into One. Retrieved April 1, 2021. ↩
-
Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 18, 2021. ↩↩
-
Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 22, 2021. ↩↩↩↩↩
-
Patrick Wardle. (2020, June 29). OSX.EvilQuest Uncovered part i: infection, persistence, and more!. Retrieved March 18, 2021. ↩↩↩↩↩↩↩↩
-
Gabrielle Joyce Mabutas, Luis Magisa, Steven Du. (2020, July 17). Updates on Quickly-Evolving ThiefQuest macOS Malware. Retrieved April 26, 2021. ↩