The MacOS malware known as ThiefQuest, or EvilQuest, has been evolving quickly since it was first seen in June 2020. When first observed, it was performing backdoor functions and had the ability to modify its target’s host file. This then led to file exfiltration capabilities, ransomware behavior, and file infector behavior. Now, researchers at Trend Micro report that the operators of ThiefQuest have added a new way to compute and call function addresses which will make malware analysis a tougher task. The authors also added functions to check the MAC address, CPU count, and physical memory of the machine to support anti-analysis functions, preventing the malware from being automatically analyzed by sandbox systems. Lastly, the malware now has the ability to detect and disable anti-virus applications from Avast, Bitdefender, Bullguard, DrWeb, Kaspersky, KnockKnock, Little Snitch, McAfee, Norton, and ReiKey when running its check and termination processes.
Watch the Video
How does Binary Defense help protect your organization? With best in breed cybersecurity tactics, techniques, and services, we make sure that your environment is secure against the most advanced attacks.