The MacOS malware known as ThiefQuest, or EvilQuest, has been evolving quickly since it was first seen in June 2020. When first observed, it was performing backdoor functions and had the ability to modify its target’s host file. This then led to file exfiltration capabilities, ransomware behavior, and file infector behavior. Now, researchers at Trend Micro report that the operators of ThiefQuest have added a new way to compute and call function addresses which will make malware analysis a tougher task. The authors also added functions to check the MAC address, CPU count, and physical memory of the machine to support anti-analysis functions, preventing the malware from being automatically analyzed by sandbox systems. Lastly, the malware now has the ability to detect and disable anti-virus applications from Avast, Bitdefender, Bullguard, DrWeb, Kaspersky, KnockKnock, Little Snitch, McAfee, Norton, and ReiKey when running its check and termination processes.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in