Skip to content

S0595 ThiefQuest

ThiefQuest is a virus, data stealer, and wiper that presents itself as ransomware targeting macOS systems. ThiefQuest was first seen in 2020 distributed via trojanized pirated versions of popular macOS software on Russian forums sharing torrent links.3 Even though ThiefQuest presents itself as ransomware, since the dynamically generated encryption key is never sent to the attacker it may be more appropriately thought of as a form of wiper malware.14

Item Value
ID S0595
Associated Names MacRansom.K, EvilQuest
Version 1.2
Created 19 March 2021
Last Modified 16 April 2022
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
MacRansom.K 2
EvilQuest 3

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols ThiefQuest uploads files via unencrypted HTTP. 14
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.002 AppleScript ThiefQuest uses AppleScript‘s osascript -e command to launch ThiefQuest‘s persistence via Launch Agent and Launch Daemon. 5
enterprise T1554 Compromise Client Software Binary ThiefQuest searches through the /Users/ folder looking for executable files. For each executable, ThiefQuest prepends a copy of itself to the beginning of the file. When the file is executed, the ThiefQuest code is executed first. ThiefQuest creates a hidden file, copies the original target executable to the file, then executes the new hidden file to maintain the appearance of normal behavior. 14
enterprise T1543 Create or Modify System Process -
enterprise T1543.001 Launch Agent ThiefQuest installs a launch item using an embedded encrypted launch agent property list template. The plist file is installed in the ~/Library/LaunchAgents/ folder and configured with the path to the persistent binary located in the ~/Library/ folder.5
enterprise T1543.004 Launch Daemon When running with root privileges after a Launch Agent is installed, ThiefQuest installs a plist file to the /Library/LaunchDaemons/ folder with the RunAtLoad key set to true establishing persistence as a Launch Daemon. 5
enterprise T1486 Data Encrypted for Impact ThiefQuest encrypts a set of file extensions on a host, deletes the original files, and provides a ransom note with no contact information.1
enterprise T1622 Debugger Evasion ThiefQuest uses a function named is_debugging to perform anti-debugging logic. The function invokes sysctl checking the returned value of P_TRACED. ThiefQuest also calls ptrace with the PTRACE_DENY_ATTACH flag to prevent debugging.1
enterprise T1041 Exfiltration Over C2 Channel ThiefQuest exfiltrates targeted file extensions in the /Users/ folder to the command and control server via unencrypted HTTP. Network packets contain a string with two pieces of information: a file path and the contents of the file in a base64 encoded string.14
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories ThiefQuest hides a copy of itself in the user’s ~/Library directory by using a . at the beginning of the file name followed by 9 random characters.5
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools ThiefQuest uses the function kill_unwanted to obtain a list of running processes and kills each process matching a list of security related processes.5
enterprise T1105 Ingress Tool Transfer ThiefQuest can download and execute payloads in-memory or from disk.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging ThiefQuest uses the CGEventTap functions to perform keylogging.6
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location ThiefQuest prepends a copy of itself to the beginning of an executable file while maintaining the name of the executable.14
enterprise T1106 Native API ThiefQuest uses various API to perform behaviors such as executing payloads and performing local enumeration.1
enterprise T1057 Process Discovery ThiefQuest obtains a list of running processes using the function kill_unwanted.5
enterprise T1620 Reflective Code Loading ThiefQuest uses various API functions such as NSCreateObjectFileImageFromMemory to load and link in-memory payloads.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery ThiefQuest uses the kill_unwanted function to get a list of running processes, compares each process with an encrypted list of “unwanted” security related programs, and kills the processes for security related programs.5
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.003 Time Based Evasion ThiefQuest invokes time call to check the system’s time, executes a sleep command, invokes a second time call, and then compares the time difference between the two time calls and the amount of time the system slept to identify the sandbox.5