EvilQuest Ransomware Targeting Mac Users Through Pirated Apps

A new ransomware that targets Mac users has been found online, hiding inside a website that shares torrent links.

According to Malwarebytes, a new ransomware known as “EvilQuest” is targeting unsuspecting Mac users that download pirated apps from the internet. This new ransomware can be installed in Macs by way of a malicious Little Snitch app installer that can be downloaded from a Russian forum that provides torrent links.

Per Malwarebytes' Thomas Reed, the Little Snitch installer shows some signs that should drive cautious Mac users away from it. The malicious installer comes in a simple Apple installer package that uses a generic icon. What's more, the malicious installer package is “pointlessly distributed” inside a disk image file.

The legitimate Little Snitch installer, on the other hand, is “attractively and professionally packaged,” and comes with a “properly code signed” custom installer.

Like the legitimate installer, the malicious Little Snitch installer also includes installer and uninstaller apps, but with the addition of a “Patch” file. The package also includes a script that, when the installation is complete, will move the Patch file into a different location then renames it into a file called “CrashReporter,” which allows it to hide in the Activity Monitor undetected.

The script will then remove itself from the /Users/Shared/ folder, launches the new copy, then opens the Little Snitch installer. The Patch file (now a malware disguised as “Crash Reporter” in Activity Monitor) will install itself in various locations.

The Patch file will start encrypting data and settings files, including the keychain files. This will effectively lock files, keeping them away from the user. The infection will also show other signs, including errors in the Dock and the Finder. Reed said he was only able to stop Finder from freezing by force quitting.

Reed also noted that some people who discovered the malware reported that it creates a file that contains instructions on paying a ransom in order for the encrypted files to be decrypted. The malware also has an alert and users text-to-speech to inform users that their Mac has been infected with the ransomware.

A screenshot of the file, taken from the online forum, shows that users are prompted to pay $50 to “recover” their files. MacRumors warns people whose Macs have been infected with the new ransomware to avoid paying the amount because it “does not remove the malware.”

Malwarebytes said its software for the Mac can remove this malware/ransomware, which can be detected as “Ransom.OSX.EvilQuest.”