In addition to ransomware, ThiefQuest has a whole other set of spyware capabilities that allow it to exfiltrate files from an infected computer, search the system for passwords and cryptocurrency wallet data, and run a robust keylogger to grab passwords, credit card numbers, or other financial information as a user types it in. The spyware component also lurks persistently as a backdoor on infected devices, meaning it sticks around even after a computer reboots, and could be used as a launchpad for additional, or “second stage,” attacks. Given that ransomware is so rare on Macs to begin with, this one-two punch is especially noteworthy.
“Looking at the code, if you split the ransomware logic from all the other backdoor logic the two pieces completely make sense as individual malware. But compiling them together you’re kind of like what?” says Patrick Wardle, principal security researcher at the Mac management firm Jamf. “My current gut feeling about all of this is that someone basically was designing a piece of Mac malware that would give them the ability to completely remotely control an infected system. And then they also added some ransomware capability as a way to make extra money.”
Though ThiefQuest is packed with menacing features, it’s unlikely to infect your Mac anytime soon unless you download pirated, unvetted software. Thomas Reed, director of Mac and mobile platforms at the security firm Malwarebytes, found that ThiefQuest is being distributed on torrent sites bundled with name-brand software, like the security application Little Snitch, DJ software Mixed In Key, and music production platform Ableton. K7’s Devadoss notes that the malware itself is designed to look like a “Google Software Update program.” So far, though, the researchers say that it doesn’t seem to have a significant number of downloads, and no one has paid a ransom to the Bitcoin address the attackers provide.
For your Mac to become infected, you would need to torrent a compromised installer and then dismiss a series of warnings from Apple in order to run it. It’s a good reminder to get your software from trustworthy sources, like developers whose code is “signed” by Apple to prove its legitimacy, or from Apple’s App Store itself. But if you’re someone who already torrents programs and is used to ignoring Apple’s flags, ThiefQuest illustrates the risks of that approach.
Apple declined to comment for this story.
Though ThiefQuest has an extensive suite of capabilities in fusing ransomware with spyware, it’s unclear for what ends, particularly because the ransomware component seems incomplete. The malware shows a ransom note that demands payment, but it only lists a static Bitcoin address where victims can send money. Given Bitcoin’s anonymity features, attackers who intended to decrypt a victim’s systems upon receiving payment would have no way to tell who had paid already and who hadn’t. Additionally, the note doesn’t list an email address that victims can use to correspond with the attackers about receiving a decryption key—another sign that the malware may not actually be intended as ransomware. Jamf’s Wardle also found in his analysis that while the malware has all the components it would need to decrypt the files, they don’t seem to be set up to actually function in the wild.