The MacOS malware known as ThiefQuest, or EvilQuest, has been evolving quickly since it was first seen in June 2020. When first observed, it was performing backdoor functions and had the ability to modify its target’s host file. This then led to file exfiltration capabilities, ransomware behavior, and file infector behavior. Now, researchers at Trend Micro report that the operators of ThiefQuest have added a new way to compute and call function addresses which will make malware analysis a tougher task. The authors also added functions to check the MAC address, CPU count, and physical memory of the machine to support anti-analysis functions, preventing the malware from being automatically analyzed by sandbox systems. Lastly, the malware now has the ability to detect and disable anti-virus applications from Avast, Bitdefender, Bullguard, DrWeb, Kaspersky, KnockKnock, Little Snitch, McAfee, Norton, and ReiKey when running its check and termination processes.
A defense-in-depth strategy is suggested when defending against system intrusions. This involves keeping a trusted anti-virus software installed and updated on devices. Since ThiefQuest represents another example of malware that can detect and disable anti-virus solutions, this makes other layers of defense more important. At Binary Defense, analysts in the Security Operations Center continuously monitor endpoints and SIEM systems to detect and stop intrusions on a 24/7 basis.