A new stealer for MacOS called “EvilQuest” is currently spreading through pirated versions of popular apps including “Mixed in Key” and “Little Snitch”. EvilQuest acts as a ransomware, encrypting files and eventually dropping a ransom note afterwards like most ransomware does. The ransomware functionality is troubling in its implementation; according to analysis by Malwarebytes, EvilQuest isn’t very smart or picky about the files it chooses to encrypt. This led to issues with the keychain becoming damaged and the dock resetting to the default appearance. BleepingComputer also noticed that the ransom note contains the same Bitcoin wallet address per installation and offers no method of contact to the malware author. With no method of contact or some unique identifier, there is currently no way for any victim to recover encrypted files without restoring from a backup.
EvilQuest also has exfiltration and RAT-like capabilities. When run, the malware will download a Python script containing a hardcoded list of file extensions to look for, base64 encode them and the send them off to a command and control (C2) server. For some reason, the script will only exfiltrate files under 800 KB. When communicating with the C2, EvilQuest can also receive commands to:
- Start a keylogger
- Execute commands on the system
- Execute modules from memory