SYMBOLCOMMON_NAMEaka. SYNONYMS
osx.evilquest (Back to overview)

EvilQuest

aka: ThiefQuest

According to PcRisk, EvilQuest (also known as ThiefQuest) is like many other malicious programs of this type - it encrypts files and creates a ransom message. In most cases, this type of malware modifies the names of encrypted files by appending certain extensions, however, this ransomware leaves them unchanged.

It drops the "READ_ME_NOW.txt" in each folder that contains encrypted data and displays another ransom message in a pop-up window. Additionally, this malware is capable of detecting if certain files are stored on the computer, operates as a keylogger, and receives commands from a Command & Control server.

References
2022-05-06CrowdStrikePaul-Danut Urian
@online{urian:20220506:macos:59df492, author = {Paul-Danut Urian}, title = {{macOS Malware Is More Reality Than Myth: Popular Threats and Challenges in Analysis}}, date = {2022-05-06}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities}, language = {English}, urldate = {2022-05-11} } macOS Malware Is More Reality Than Myth: Popular Threats and Challenges in Analysis
EvilQuest FlashBack Shlayer XCSSET
2021-09-20SentinelOnePhil Stokes
@online{stokes:20210920:defeating:452749e, author = {Phil Stokes}, title = {{Defeating macOS Malware Anti-Analysis Tricks with Radare2}}, date = {2021-09-20}, organization = {SentinelOne}, url = {https://www.sentinelone.com/labs/defeating-macos-malware-anti-analysis-tricks-with-radare2/}, language = {English}, urldate = {2021-10-11} } Defeating macOS Malware Anti-Analysis Tricks with Radare2
EvilQuest
2021-03-21BlackberryBlackberry Research
@techreport{research:20210321:2021:a393473, author = {Blackberry Research}, title = {{2021 Threat Report}}, date = {2021-03-21}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf}, language = {English}, urldate = {2021-03-25} } 2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot
2021-01-01Objective-SeePatrick Wardle
@online{wardle:20210101:mac:a6f5a3b, author = {Patrick Wardle}, title = {{The Mac Malware of 2020 - a comprehensive analysis of the year's new malware}}, date = {2021-01-01}, organization = {Objective-See}, url = {https://objective-see.com/blog/blog_0x5F.html}, language = {English}, urldate = {2021-01-11} } The Mac Malware of 2020 - a comprehensive analysis of the year's new malware
AppleJeus Dacls EvilQuest FinFisher WatchCat XCSSET
2020-09-18Github (gdbinit)Pedro Vilaça
@online{vilaa:20200918:evilquestthiefquest:a7625a8, author = {Pedro Vilaça}, title = {{EvilQuest/ThiefQuest strings decrypt/deobfuscator}}, date = {2020-09-18}, organization = {Github (gdbinit)}, url = {https://github.com/gdbinit/evilquest_deobfuscator}, language = {English}, urldate = {2020-09-19} } EvilQuest/ThiefQuest strings decrypt/deobfuscator
EvilQuest
2020-07-08SentinelOnePhil Stokes
@online{stokes:20200708:evilquest:aeb5d92, author = {Phil Stokes}, title = {{“EvilQuest” Rolls Ransomware, Spyware & Data Theft Into One}}, date = {2020-07-08}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/evilquest-a-new-macos-malware-rolls-ransomware-spyware-and-data-theft-into-one/}, language = {English}, urldate = {2022-03-02} } “EvilQuest” Rolls Ransomware, Spyware & Data Theft Into One
EvilQuest
2020-07-07Sentinel LABSJason Reaves
@online{reaves:20200707:breaking:2a99a35, author = {Jason Reaves}, title = {{Breaking EvilQuest | Reversing A Custom macOS Ransomware File Encryption Routine}}, date = {2020-07-07}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/breaking-evilquest-reversing-a-custom-macos-ransomware-file-encryption-routine/}, language = {English}, urldate = {2020-07-08} } Breaking EvilQuest | Reversing A Custom macOS Ransomware File Encryption Routine
EvilQuest
2020-06-30Bleeping ComputerSergiu Gatlan
@online{gatlan:20200630:evilquest:b90c9ad, author = {Sergiu Gatlan}, title = {{EvilQuest wiper uses ransomware cover to steal files from Macs}}, date = {2020-06-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/evilquest-wiper-uses-ransomware-cover-to-steal-files-from-macs/}, language = {English}, urldate = {2020-07-01} } EvilQuest wiper uses ransomware cover to steal files from Macs
EvilQuest
2020-06-29Objective-SeePatrick Wardle
@online{wardle:20200629:osxevilquest:dc69dab, author = {Patrick Wardle}, title = {{OSX.EvilQuest Uncovered}}, date = {2020-06-29}, organization = {Objective-See}, url = {https://objective-see.com/blog/blog_0x59.html}, language = {English}, urldate = {2020-06-30} } OSX.EvilQuest Uncovered
EvilQuest
2020-06-29Twitter (@dineshdina04)Dinesh Devadoss
@online{devadoss:20200629:initial:0c8ed48, author = {Dinesh Devadoss}, title = {{Tweet on initial Discovery of EvilQuest}}, date = {2020-06-29}, organization = {Twitter (@dineshdina04)}, url = {https://twitter.com/dineshdina04/status/1277668001538433025}, language = {English}, urldate = {2020-07-01} } Tweet on initial Discovery of EvilQuest
EvilQuest
Yara Rules
[TLP:WHITE] osx_evilquest_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule osx_evilquest_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/osx.evilquest"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 897de0 48 8975d8 48 8955d0 48 c745c800000000 }
            // n = 7, score = 100
            //   897de0               | mov                 dword ptr [ebp - 0x20], edi
            //   48                   | dec                 eax
            //   8975d8               | mov                 dword ptr [ebp - 0x28], esi
            //   48                   | dec                 eax
            //   8955d0               | mov                 dword ptr [ebp - 0x30], edx
            //   48                   | dec                 eax
            //   c745c800000000       | mov                 dword ptr [ebp - 0x38], 0

        $sequence_1 = { 8945f0 48 8b4dd8 48 0faf4dd8 8b45ec 89c2 }
            // n = 7, score = 100
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   48                   | dec                 eax
            //   8b4dd8               | mov                 ecx, dword ptr [ebp - 0x28]
            //   48                   | dec                 eax
            //   0faf4dd8             | imul                ecx, dword ptr [ebp - 0x28]
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   89c2                 | mov                 edx, eax

        $sequence_2 = { 894dd0 4c 89c1 4c 8b45d0 4c 8b4dd0 }
            // n = 7, score = 100
            //   894dd0               | mov                 dword ptr [ebp - 0x30], ecx
            //   4c                   | dec                 esp
            //   89c1                 | mov                 ecx, eax
            //   4c                   | dec                 esp
            //   8b45d0               | mov                 eax, dword ptr [ebp - 0x30]
            //   4c                   | dec                 esp
            //   8b4dd0               | mov                 ecx, dword ptr [ebp - 0x30]

        $sequence_3 = { 837dd000 0f8416000000 48 8b7db0 48 8b75e8 e8???????? }
            // n = 7, score = 100
            //   837dd000             | cmp                 dword ptr [ebp - 0x30], 0
            //   0f8416000000         | je                  0x1c
            //   48                   | dec                 eax
            //   8b7db0               | mov                 edi, dword ptr [ebp - 0x50]
            //   48                   | dec                 eax
            //   8b75e8               | mov                 esi, dword ptr [ebp - 0x18]
            //   e8????????           |                     

        $sequence_4 = { 8b4de8 48 8901 48 8b45f0 48 833800 }
            // n = 7, score = 100
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   48                   | dec                 eax
            //   8901                 | mov                 dword ptr [ecx], eax
            //   48                   | dec                 eax
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   48                   | dec                 eax
            //   833800               | cmp                 dword ptr [eax], 0

        $sequence_5 = { 48 8945d8 48 8b7dd8 e8???????? 48 8b7df0 }
            // n = 7, score = 100
            //   48                   | dec                 eax
            //   8945d8               | mov                 dword ptr [ebp - 0x28], eax
            //   48                   | dec                 eax
            //   8b7dd8               | mov                 edi, dword ptr [ebp - 0x28]
            //   e8????????           |                     
            //   48                   | dec                 eax
            //   8b7df0               | mov                 edi, dword ptr [ebp - 0x10]

        $sequence_6 = { 48 8d05c2580000 48 8945f8 e9???????? 48 8d05c1580000 }
            // n = 7, score = 100
            //   48                   | dec                 eax
            //   8d05c2580000         | lea                 eax, [0x58c2]
            //   48                   | dec                 eax
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   e9????????           |                     
            //   48                   | dec                 eax
            //   8d05c1580000         | lea                 eax, [0x58c1]

        $sequence_7 = { 48 89c7 48 898da8feffff 48 89b5a0feffff }
            // n = 6, score = 100
            //   48                   | dec                 eax
            //   89c7                 | mov                 edi, eax
            //   48                   | dec                 eax
            //   898da8feffff         | mov                 dword ptr [ebp - 0x158], ecx
            //   48                   | dec                 eax
            //   89b5a0feffff         | mov                 dword ptr [ebp - 0x160], esi

        $sequence_8 = { 48 8b8548ffffff 48 8b10 be???????? e8???????? 48 }
            // n = 7, score = 100
            //   48                   | dec                 eax
            //   8b8548ffffff         | mov                 eax, dword ptr [ebp - 0xb8]
            //   48                   | dec                 eax
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   be????????           |                     
            //   e8????????           |                     
            //   48                   | dec                 eax

        $sequence_9 = { 48 8d3dddde0000 e8???????? 48 8945d0 48 8b7dd0 }
            // n = 7, score = 100
            //   48                   | dec                 eax
            //   8d3dddde0000         | lea                 edi, [0xdedd]
            //   e8????????           |                     
            //   48                   | dec                 eax
            //   8945d0               | mov                 dword ptr [ebp - 0x30], eax
            //   48                   | dec                 eax
            //   8b7dd0               | mov                 edi, dword ptr [ebp - 0x30]

    condition:
        7 of them and filesize < 175840
}
Download all Yara Rules