{"id":91799,"date":"2020-07-01T23:59:41","date_gmt":"2020-07-02T06:59:41","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=91799"},"modified":"2024-04-18T03:13:47","modified_gmt":"2024-04-18T10:13:47","slug":"new-mac-ransomware-spyware-thiefquest-in-the-wild","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/new-mac-ransomware-spyware-thiefquest-in-the-wild\/","title":{"rendered":"New Mac ransomware-spyware EvilQuest in the wild"},"content":{"rendered":"<p><img loading=\"lazy\" class=\"aligncenter size-full wp-image-51421\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/03\/KeRanger-Mac-Ransomware.jpg\" alt=\"ThiefQuest Mac ransomware spreads via Trojanized installers downloaded from BitTorrent\" width=\"600\" height=\"300\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/03\/KeRanger-Mac-Ransomware.jpg 600w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/03\/KeRanger-Mac-Ransomware-150x75.jpg 150w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/03\/KeRanger-Mac-Ransomware-300x150.jpg 300w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/p>\n<p>On Monday, June 29, Intego&#8217;s research team was alerted to new Mac malware spreading in the wild via BitTorrent. At first glance, it has telltale signs of ransomware\u2014malware designed to encrypt a user&#8217;s files and demand a ransom to recover them\u2014but it turns out to be much more nefarious.<\/p>\n<p>The malware, dubbed <strong>OSX\/EvilQuest<\/strong> (also known as <strong>OSX\/ThiefQuest<\/strong>) and detected by <a href=\"https:\/\/www.intego.com\/mac-protection-bundle\">Intego VirusBarrier<\/a> as <strong>OSX\/EvilQuest<\/strong> (previously <strong>OSX\/Ransomware<\/strong>), has some pretty interesting characteristics. Here&#8217;s what you need to know about this latest threat.<\/p>\n<p>In this article:<\/p>\n<ul>\n<li><a href=\"#wild-spread\">Is this malware in the wild? How does it spread?<\/a><\/li>\n<li><a href=\"#what-does-how-unique\">What does the new malware do? How is it unique?<\/a><\/li>\n<li><a href=\"#how-to-avoid\">How should Mac users avoid getting this malware?<\/a><\/li>\n<li><a href=\"#how-to-remove\">How can the malware be removed?<\/a><\/li>\n<li><a href=\"#how-to-decrypt\">How can I recover my files that got encrypted?<\/a><\/li>\n<li><a href=\"#iocs\">Indicators of compromise<\/a><\/li>\n<li><a href=\"#learn-more\">How can I learn more?<\/a><\/li>\n<\/ul>\n<p><a name=\"wild-spread\"><\/a><\/p>\n<h3>Is this malware in the wild? How does it spread?<\/h3>\n<p>The EvilQuest malware comes disguised as an installer for any of various Mac applications, including Google Software Update, Ableton, Little Snitch, and Mixed In Key 8.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Thanks for the info! Been working on that this morning&#8230; seems it&#39;s getting dropped by some installers wrapping legit software like Little Snitch, Ableton, and Mixed In Key. There are probably others as well.<\/p>\n<p>&mdash; Thomas Reed (@thomasareed) <a href=\"https:\/\/twitter.com\/thomasareed\/status\/1277674376582832130?ref_src=twsrc%5Etfw\">June 29, 2020<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>BitTorrent magnet links to download these Trojanized installers have been observed on RUTracker, a Russian forum site. The forum post seems to be dated June 9, so this malware may have gone undiscovered for approximately three weeks.<\/p>\n<div id=\"attachment_91801\" style=\"width: 1210px\" class=\"wp-caption aligncenter\"><img aria-describedby=\"caption-attachment-91801\" loading=\"lazy\" class=\"size-full wp-image-91801\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2020\/07\/RUTracker-ThiefQuest-Little-Snitch-forum-post.jpg\" alt=\"\" width=\"1200\" height=\"543\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2020\/07\/RUTracker-ThiefQuest-Little-Snitch-forum-post.jpg 1200w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2020\/07\/RUTracker-ThiefQuest-Little-Snitch-forum-post-300x136.jpg 300w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2020\/07\/RUTracker-ThiefQuest-Little-Snitch-forum-post-1024x463.jpg 1024w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2020\/07\/RUTracker-ThiefQuest-Little-Snitch-forum-post-150x68.jpg 150w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2020\/07\/RUTracker-ThiefQuest-Little-Snitch-forum-post-768x348.jpg 768w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2020\/07\/RUTracker-ThiefQuest-Little-Snitch-forum-post-657x297.jpg 657w\" sizes=\"(max-width: 1200px) 100vw, 1200px\" \/><p id=\"caption-attachment-91801\" class=\"wp-caption-text\">RUTracker forum post with BitTorrent link to Trojanized Little Snitch. Image: <a href=\"https:\/\/blog.malwarebytes.com\/mac\/2020\/06\/new-mac-ransomware-spreading-through-piracy\/\" target=\"_blank\" rel=\"noopener noreferrer\">Reed<\/a><\/p><\/div>\n<p><a name=\"what-does-how-unique\"><\/a><\/p>\n<h3>What does the new malware do? How is it unique?<\/h3>\n<p>Although the Trojanized installer may install the intended software, it also installs malware onto the victim&#8217;s system.<\/p>\n<p>Among other things, the malware encrypts the user&#8217;s files, after which it displays a dialog box claiming that the user has three days to pay a U.S. $50 ransom to a particular Bitcoin address. Thankfully, nobody has yet paid the ransom\u2014at least not to one Bitcoin address that has been found associated with this malware campaign\u2014as of when this article was published.<\/p>\n<div id=\"attachment_91800\" style=\"width: 1019px\" class=\"wp-caption aligncenter\"><img aria-describedby=\"caption-attachment-91800\" loading=\"lazy\" class=\"size-full wp-image-91800\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2020\/07\/ThiefQuest-no-ransoms-paid-yet.png\" alt=\"ThiefQuest - no ransoms paid yet\" width=\"1009\" height=\"611\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2020\/07\/ThiefQuest-no-ransoms-paid-yet.png 1009w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2020\/07\/ThiefQuest-no-ransoms-paid-yet-300x182.png 300w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2020\/07\/ThiefQuest-no-ransoms-paid-yet-150x91.png 150w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2020\/07\/ThiefQuest-no-ransoms-paid-yet-768x465.png 768w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2020\/07\/ThiefQuest-no-ransoms-paid-yet-657x398.png 657w\" sizes=\"(max-width: 1009px) 100vw, 1009px\" \/><p id=\"caption-attachment-91800\" class=\"wp-caption-text\">Evidently, nobody had paid the ransom as of when this article was published. Image: Intego<\/p><\/div>\n<p>There&#8217;s actually a bit of a twist to the ransomware angle, though. Although so far this has sounded like standard ransomware behavior, the malware makers actually don&#8217;t provide an e-mail address or any other way to contact them, so it is unclear how the extortioners would know who paid them and therefore how to help that person decrypt their files.<\/p>\n<p>In other words, this &#8220;ransomware&#8221; may be better described as a &#8220;wiper&#8221;\u2014malicious software that encrypts files without providing any way to decrypt them, even if you give in to the extortioner&#8217;s demands. It remains to be seen whether the anti-malware community will be able to discover a way to decrypt documents encrypted by this malware.<\/p>\n<p>There are also additional capabilities beyond encrypting the user&#8217;s documents. EvilQuest also phones home to command and control (C2) servers, can log a victim&#8217;s keystrokes, and it has data exfiltration capabilities\u2014meaning it can steal potentially interesting files from a victim&#8217;s computer and send them to the malware maker.<\/p>\n<p>EvilQuest also tries to avoid detection by behaving differently when running within a virtual machine or when a debugger is running\u2014common tactics to make it more difficult for malware analysts and automated analysis tools to identify and assess malicious behaviors.<\/p>\n<p><strong>Update:<\/strong> After this article was first published, it came to light that EvilQuest also maliciously modifies Google Software Update background apps, which interestingly makes EvilQuest a true Mac <em>virus<\/em>.<\/p>\n<p>Given all this functionality, the EvilQuest malware is not &#8220;merely&#8221; ransomware. It could also be described as a wiper, data stealer, spyware, <a href=\"https:\/\/www.intego.com\/mac-security-blog\/topic\/keylogger\/\" target=\"_blank\" rel=\"noopener noreferrer\">keylogger<\/a>, evader, virus, and a <a href=\"https:\/\/www.intego.com\/mac-security-blog\/osxcoldroot-and-the-rat-invasion\/\" target=\"_blank\" rel=\"noopener noreferrer\">RAT<\/a>.<a name=\"how-to-avoid\"><\/a><\/p>\n<h3>How should Mac users avoid getting this malware?<\/h3>\n<p>This is not the first time that malware has been distributed via BitTorrent, or by disguising itself as illegitimately obtained full or &#8220;cracked&#8221; versions of Mac software. We wrote in 2017 about <a href=\"https:\/\/www.intego.com\/mac-security-blog\/patcher-ransomware-attacks-macos-encrypts-files-permanently\/\" target=\"_blank\" rel=\"noopener noreferrer\">&#8220;Patcher&#8221; (<strong>OSX\/Filecoder<\/strong>) ransomware<\/a> that spread the same way.<\/p>\n<p>In fact, <span style=\"font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen-Sans, Ubuntu, Cantarell, 'Helvetica Neue', sans-serif;\">later that year<\/span><span style=\"font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen-Sans, Ubuntu, Cantarell, 'Helvetica Neue', sans-serif;\">\u00a0<\/span><span style=\"font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen-Sans, Ubuntu, Cantarell, 'Helvetica Neue', sans-serif;\">an Intego blogger did his own investigation of Mac software distributed through BitTorrent, and found that every app he downloaded was flagged by <strong>Intego VirusBarrier<\/strong> as containing malware:<\/span><\/p>\n<blockquote class=\"wp-embedded-content\" data-secret=\"kkgwMrlP6g\"><p><a href=\"https:\/\/www.intego.com\/mac-security-blog\/why-bittorrent-sites-are-a-malware-cesspool\/\">Why BitTorrent Sites Are a Malware Cesspool<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" title=\"&#8220;Why BitTorrent Sites Are a Malware Cesspool&#8221; &#8212; The Mac Security Blog\" src=\"https:\/\/www.intego.com\/mac-security-blog\/why-bittorrent-sites-are-a-malware-cesspool\/embed\/#?secret=kkgwMrlP6g\" data-secret=\"kkgwMrlP6g\" width=\"500\" height=\"282\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n<p>In short, it simply is not a good idea to download Mac apps through BitTorrent. The safest way to obtain an app is through the Mac App Store where possible, or directly from the developer&#8217;s site.<a name=\"how-to-remove\"><\/a><\/p>\n<h3>How can the malware be removed?<\/h3>\n<p>Intego VirusBarrier X9, included with <strong><a href=\"https:\/\/www.intego.com\/mac-protection-bundle\">Intego&#8217;s Mac Premium Bundle X9<\/a><\/strong>, can detect and eliminate this malware.<\/p>\n<p>Customers running VirusBarrier X8, X7, or X6 on older versions of Mac OS X are also protected. It is best to upgrade to the latest version of macOS if possible to ensure your Mac gets all the latest security updates from Apple.<a name=\"how-to-decrypt\"><\/a><\/p>\n<h3>How can I recover my files that got encrypted?<\/h3>\n<p>The malware maker doesn&#8217;t provide any contact information, so paying the ransom would be a one-way transaction; you&#8217;d be giving the bad guys your money, but you still wouldn&#8217;t be able to recover your encrypted files. (Whenever possible, it&#8217;s best to avoid paying ransoms anyway, of course, since giving money to criminals ultimately gives them motivation to keep victimizing others.)<\/p>\n<p>Thankfully, the community has come together and reverse-engineered the encryption. There&#8217;s even a <a href=\"https:\/\/github.com\/Sentinel-One\/foss\/tree\/master\/s1-evilquest-decryptor\" target=\"_blank\" rel=\"noopener noreferrer\">free utility<\/a> that can be used to decrypt and restore files that have been encrypted by the EvilQuest malware.<a name=\"iocs\"><\/a><\/p>\n<h3>Indicators of compromise<\/h3>\n<p>Some paths that have been observed so far from this malware campaign include the following:<\/p>\n<pre>\/Library\/LaunchDaemons\/com.apple.questd.plist\r\n\/Library\/mixednkey\/toolroomd\r\n\/private\/var\/root\/Library\/.5tAxR3H3Y\r\n\/private\/var\/root\/Library\/AppQuest\/com.apple.questd\r\n\/private\/var\/root\/Library\/LaunchAgents\/com.apple.questd.plist\r\n~\/Library\/.ak5t3o0X2\r\n~\/Library\/AppQuest\/com.apple.questd\r\n~\/Library\/LaunchAgents\/com.apple.questd.plist\r\nMixed In Key 8.dmg [if downloaded via BitTorrent]<\/pre>\n<p>The following domain and IP address have been observed as directly affiliated with this malware campaign:<\/p>\n<pre>andrewka6.pythonanywhere[.]com\r\n167.71.237[.]219<\/pre>\n<p>Any recent network traffic to or from these addresses should be considered a possible sign of an infection.<a style=\"font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen-Sans, Ubuntu, Cantarell, 'Helvetica Neue', sans-serif;\" name=\"learn-more\"><\/a><\/p>\n<h3>How can I learn more?<\/h3>\n<p>For more technical analyses of this malware, you can refer to Patrick Wardle (<a href=\"https:\/\/objective-see.com\/blog\/blog_0x59.html\" target=\"_blank\" rel=\"noopener noreferrer\">part 1<\/a> and <a href=\"https:\/\/objective-see.com\/blog\/blog_0x60.html\" target=\"_blank\" rel=\"noopener noreferrer\">part 2<\/a>), Thomas Reed (<a href=\"https:\/\/blog.malwarebytes.com\/mac\/2020\/06\/new-mac-ransomware-spreading-through-piracy\/\" target=\"_blank\" rel=\"noopener noreferrer\">part 1<\/a> and <a href=\"https:\/\/blog.malwarebytes.com\/mac\/2020\/07\/mac-thiefquest-malware-may-not-be-ransomware-after-all\/\" target=\"_blank\" rel=\"noopener noreferrer\">part 2<\/a>), <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/thiefquest-ransomware-is-a-file-stealing-mac-wiper-in-disguise\/\" target=\"_blank\" rel=\"noopener noreferrer\">Lawrence Abrams<\/a>, and <a href=\"https:\/\/labs.sentinelone.com\/breaking-evilquest-reversing-a-custom-macos-ransomware-file-encryption-routine\/\" target=\"_blank\" rel=\"noopener noreferrer\">Phil Stokes<\/a>&#8216; published research. WIRED writer Lily Hay Newman also has <a href=\"https:\/\/www.wired.com\/story\/new-mac-ransomware-thiefquest-evilquest\/\" target=\"_blank\" rel=\"noopener noreferrer\">additional coverage<\/a> of this story.<\/p>\n<p><a href=\"https:\/\/podcasts.apple.com\/us\/podcast\/intego-mac-podcast\/id1293834627\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" class=\"alignright size-thumbnail wp-image-71818\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile-150x150.png\" sizes=\"(max-width: 50px) 100vw, 50px\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile-150x150.png 150w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile-32x32.png 32w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile-50x50.png 50w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile-64x64.png 64w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile-96x96.png 96w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile-128x128.png 128w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile.png 300w\" alt=\"\" width=\"50\" height=\"50\" data-pagespeed-url-hash=\"2337344131\" \/><\/a>We talked about this new malware on <a href=\"https:\/\/podcast.intego.com\/142\">episode 142<\/a> and will follow up on episode 143 of the <a href=\"https:\/\/podcast.intego.com\/\"><strong>Intego Mac Podcast<\/strong><\/a>\u2014be sure to <a href=\"https:\/\/podcasts.apple.com\/us\/podcast\/intego-mac-podcast\/id1293834627\" rel=\"noopener\">subscribe<\/a> to make sure you don\u2019t miss any episodes. You\u2019ll also want to subscribe to our <strong>e-mail newsletter<\/strong> and keep an eye here on <strong>The Mac Security Blog<\/strong> for the latest Apple security and privacy news.<\/p>\n<p><iframe loading=\"lazy\" src=\"https:\/\/fireside.fm\/player\/v2\/GegHgcrH+0UfX9PmX?theme=dark\" width=\"740\" height=\"200\" frameborder=\"0\" scrolling=\"no\"><\/iframe><\/p>\n<p>You can also follow Intego on your favorite social and media channels: <a href=\"https:\/\/www.facebook.com\/Intego\" target=\"_blank\" rel=\"noopener noreferrer\">Facebook<\/a>, <a href=\"https:\/\/www.instagram.com\/intego_security\/\" target=\"_blank\" rel=\"noopener noreferrer\">Instagram<\/a>, <a href=\"https:\/\/twitter.com\/IntegoSecurity\" target=\"_blank\" rel=\"noopener noreferrer\">Twitter<\/a>, and <a href=\"https:\/\/www.youtube.com\/user\/IntegoVideo?sub_confirmation=1\" target=\"_blank\" rel=\"noopener noreferrer\">YouTube<\/a> (click the \ud83d\udd14 to get notified about new videos).<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On Monday, June 29, Intego began investigating new Mac malware spreading in the wild via BitTorrent. Although it has telltale signs of ransomware, the EvilQuest (ThiefQuest) malware turns out to be much more nefarious and complex.<\/p>\n","protected":false},"author":14,"featured_media":51424,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[190],"tags":[3565,86,109,4722],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v17.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<meta name=\"description\" content=\"On Monday, June 29, Intego began investigating new Mac malware spreading in the wild via BitTorrent. Although it has telltale signs of ransomware, the EvilQuest (ThiefQuest) malware turns out to be much more nefarious and complex.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intego.com\/mac-security-blog\/new-mac-ransomware-spyware-thiefquest-in-the-wild\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"New Mac ransomware-spyware EvilQuest in the wild - The Mac Security Blog\" \/>\n<meta property=\"og:description\" content=\"On Monday, June 29, Intego began investigating new Mac malware spreading in the wild via BitTorrent. Although it has telltale signs of ransomware, the EvilQuest (ThiefQuest) malware turns out to be much more nefarious and complex.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intego.com\/mac-security-blog\/new-mac-ransomware-spyware-thiefquest-in-the-wild\/\" \/>\n<meta property=\"og:site_name\" content=\"The Mac Security Blog\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/JoshLong\" \/>\n<meta property=\"article:published_time\" content=\"2020-07-02T06:59:41+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-18T10:13:47+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/03\/KeRanger-Ransomware.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"400\" \/>\n\t<meta property=\"og:image:height\" content=\"260\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@theJoshMeister\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Joshua Long\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\",\"name\":\"Intego\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/\",\"sameAs\":[],\"logo\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#logo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png\",\"contentUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png\",\"width\":875,\"height\":875,\"caption\":\"Intego\"},\"image\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#logo\"}},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#website\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/\",\"name\":\"The Mac Security Blog\",\"description\":\"Keep Macs safe from the dangers of the Internet\",\"publisher\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.intego.com\/mac-security-blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/new-mac-ransomware-spyware-thiefquest-in-the-wild\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/03\/KeRanger-Ransomware.jpg\",\"contentUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/03\/KeRanger-Ransomware.jpg\",\"width\":400,\"height\":260,\"caption\":\"ThiefQuest Mac ransomware spreads via Trojanized installers downloaded from BitTorrent\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/new-mac-ransomware-spyware-thiefquest-in-the-wild\/#webpage\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/new-mac-ransomware-spyware-thiefquest-in-the-wild\/\",\"name\":\"New Mac ransomware-spyware EvilQuest in the wild - The Mac Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/new-mac-ransomware-spyware-thiefquest-in-the-wild\/#primaryimage\"},\"datePublished\":\"2020-07-02T06:59:41+00:00\",\"dateModified\":\"2024-04-18T10:13:47+00:00\",\"description\":\"On Monday, June 29, Intego began investigating new Mac malware spreading in the wild via BitTorrent. Although it has telltale signs of ransomware, the EvilQuest (ThiefQuest) malware turns out to be much more nefarious and complex.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/new-mac-ransomware-spyware-thiefquest-in-the-wild\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.intego.com\/mac-security-blog\/new-mac-ransomware-spyware-thiefquest-in-the-wild\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/new-mac-ransomware-spyware-thiefquest-in-the-wild\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.intego.com\/mac-security-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"New Mac ransomware-spyware EvilQuest in the wild\"}]},{\"@type\":\"Article\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/new-mac-ransomware-spyware-thiefquest-in-the-wild\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/new-mac-ransomware-spyware-thiefquest-in-the-wild\/#webpage\"},\"author\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/dcf592275ba6edde8d20f1e60029c6b1\"},\"headline\":\"New Mac ransomware-spyware EvilQuest in the wild\",\"datePublished\":\"2020-07-02T06:59:41+00:00\",\"dateModified\":\"2024-04-18T10:13:47+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/new-mac-ransomware-spyware-thiefquest-in-the-wild\/#webpage\"},\"wordCount\":1088,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/new-mac-ransomware-spyware-thiefquest-in-the-wild\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/03\/KeRanger-Ransomware.jpg\",\"keywords\":[\"BitTorrent\",\"Malware\",\"Ransomware\",\"Stealer Malware\"],\"articleSection\":[\"Malware\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.intego.com\/mac-security-blog\/new-mac-ransomware-spyware-thiefquest-in-the-wild\/#respond\"]}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/dcf592275ba6edde8d20f1e60029c6b1\",\"name\":\"Joshua Long\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/5ad29f4111ce14911abaa98cbbcdea42?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/5ad29f4111ce14911abaa98cbbcdea42?s=96&d=mm&r=g\",\"caption\":\"Joshua Long\"},\"description\":\"Joshua Long (@theJoshMeister), formerly Intego\\u2019s Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master\\u2019s degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple\\u00a0ID authentication vulnerability. Josh has conducted cybersecurity research for well over 25 years, which is often featured by major news outlets worldwide. Keep up with Josh via X\/Twitter, LinkedIn, Facebook, Instagram, YouTube, Patreon, Mastodon, the JoshMeister on Security, and more. \\u2014\",\"sameAs\":[\"https:\/\/security.thejoshmeister.com\",\"https:\/\/www.facebook.com\/JoshLong\",\"https:\/\/www.instagram.com\/thejoshmeister\/\",\"https:\/\/www.linkedin.com\/in\/thejoshmeister\",\"https:\/\/www.pinterest.com\/thejoshmeister\/\",\"https:\/\/twitter.com\/theJoshMeister\",\"https:\/\/www.youtube.com\/@theJoshMeister\"],\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/author\/joshlong\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"description":"On Monday, June 29, Intego began investigating new Mac malware spreading in the wild via BitTorrent. Although it has telltale signs of ransomware, the EvilQuest (ThiefQuest) malware turns out to be much more nefarious and complex.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intego.com\/mac-security-blog\/new-mac-ransomware-spyware-thiefquest-in-the-wild\/","og_locale":"en_US","og_type":"article","og_title":"New Mac ransomware-spyware EvilQuest in the wild - The Mac Security Blog","og_description":"On Monday, June 29, Intego began investigating new Mac malware spreading in the wild via BitTorrent. Although it has telltale signs of ransomware, the EvilQuest (ThiefQuest) malware turns out to be much more nefarious and complex.","og_url":"https:\/\/www.intego.com\/mac-security-blog\/new-mac-ransomware-spyware-thiefquest-in-the-wild\/","og_site_name":"The Mac Security Blog","article_author":"https:\/\/www.facebook.com\/JoshLong","article_published_time":"2020-07-02T06:59:41+00:00","article_modified_time":"2024-04-18T10:13:47+00:00","og_image":[{"width":400,"height":260,"url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/03\/KeRanger-Ransomware.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_creator":"@theJoshMeister","twitter_misc":{"Written by":"Joshua Long","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Organization","@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization","name":"Intego","url":"https:\/\/www.intego.com\/mac-security-blog\/","sameAs":[],"logo":{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/#logo","inLanguage":"en-US","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png","contentUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png","width":875,"height":875,"caption":"Intego"},"image":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#logo"}},{"@type":"WebSite","@id":"https:\/\/www.intego.com\/mac-security-blog\/#website","url":"https:\/\/www.intego.com\/mac-security-blog\/","name":"The Mac Security Blog","description":"Keep Macs safe from the dangers of the Internet","publisher":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intego.com\/mac-security-blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/new-mac-ransomware-spyware-thiefquest-in-the-wild\/#primaryimage","inLanguage":"en-US","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/03\/KeRanger-Ransomware.jpg","contentUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/03\/KeRanger-Ransomware.jpg","width":400,"height":260,"caption":"ThiefQuest Mac ransomware spreads via Trojanized installers downloaded from BitTorrent"},{"@type":"WebPage","@id":"https:\/\/www.intego.com\/mac-security-blog\/new-mac-ransomware-spyware-thiefquest-in-the-wild\/#webpage","url":"https:\/\/www.intego.com\/mac-security-blog\/new-mac-ransomware-spyware-thiefquest-in-the-wild\/","name":"New Mac ransomware-spyware EvilQuest in the wild - The Mac Security Blog","isPartOf":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/new-mac-ransomware-spyware-thiefquest-in-the-wild\/#primaryimage"},"datePublished":"2020-07-02T06:59:41+00:00","dateModified":"2024-04-18T10:13:47+00:00","description":"On Monday, June 29, Intego began investigating new Mac malware spreading in the wild via BitTorrent. Although it has telltale signs of ransomware, the EvilQuest (ThiefQuest) malware turns out to be much more nefarious and complex.","breadcrumb":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/new-mac-ransomware-spyware-thiefquest-in-the-wild\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intego.com\/mac-security-blog\/new-mac-ransomware-spyware-thiefquest-in-the-wild\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.intego.com\/mac-security-blog\/new-mac-ransomware-spyware-thiefquest-in-the-wild\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.intego.com\/mac-security-blog\/"},{"@type":"ListItem","position":2,"name":"New Mac ransomware-spyware EvilQuest in the wild"}]},{"@type":"Article","@id":"https:\/\/www.intego.com\/mac-security-blog\/new-mac-ransomware-spyware-thiefquest-in-the-wild\/#article","isPartOf":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/new-mac-ransomware-spyware-thiefquest-in-the-wild\/#webpage"},"author":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/dcf592275ba6edde8d20f1e60029c6b1"},"headline":"New Mac ransomware-spyware EvilQuest in the wild","datePublished":"2020-07-02T06:59:41+00:00","dateModified":"2024-04-18T10:13:47+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/new-mac-ransomware-spyware-thiefquest-in-the-wild\/#webpage"},"wordCount":1088,"commentCount":0,"publisher":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization"},"image":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/new-mac-ransomware-spyware-thiefquest-in-the-wild\/#primaryimage"},"thumbnailUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/03\/KeRanger-Ransomware.jpg","keywords":["BitTorrent","Malware","Ransomware","Stealer Malware"],"articleSection":["Malware"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.intego.com\/mac-security-blog\/new-mac-ransomware-spyware-thiefquest-in-the-wild\/#respond"]}]},{"@type":"Person","@id":"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/dcf592275ba6edde8d20f1e60029c6b1","name":"Joshua Long","image":{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/#personlogo","inLanguage":"en-US","url":"https:\/\/secure.gravatar.com\/avatar\/5ad29f4111ce14911abaa98cbbcdea42?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/5ad29f4111ce14911abaa98cbbcdea42?s=96&d=mm&r=g","caption":"Joshua Long"},"description":"Joshua Long (@theJoshMeister), formerly Intego\u2019s Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master\u2019s degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple\u00a0ID authentication vulnerability. Josh has conducted cybersecurity research for well over 25 years, which is often featured by major news outlets worldwide. Keep up with Josh via X\/Twitter, LinkedIn, Facebook, Instagram, YouTube, Patreon, Mastodon, the JoshMeister on Security, and more. \u2014","sameAs":["https:\/\/security.thejoshmeister.com","https:\/\/www.facebook.com\/JoshLong","https:\/\/www.instagram.com\/thejoshmeister\/","https:\/\/www.linkedin.com\/in\/thejoshmeister","https:\/\/www.pinterest.com\/thejoshmeister\/","https:\/\/twitter.com\/theJoshMeister","https:\/\/www.youtube.com\/@theJoshMeister"],"url":"https:\/\/www.intego.com\/mac-security-blog\/author\/joshlong\/"}]}},"jetpack_featured_media_url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/03\/KeRanger-Ransomware.jpg","jetpack_publicize_connections":[],"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4VAYd-nSD","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/91799"}],"collection":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/comments?post=91799"}],"version-history":[{"count":8,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/91799\/revisions"}],"predecessor-version":[{"id":91828,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/91799\/revisions\/91828"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/media\/51424"}],"wp:attachment":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/media?parent=91799"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/categories?post=91799"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/tags?post=91799"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}