Threat Management, Malware, Ransomware

OSX.EvilQuest ransomware targets Macs; Ransom X blamed for TxDOT attack

The crowded ransomware market is now home to three newly discovered players that recently gained the attention of security researchers and malware analysts -- including one that targets Mac users and another blamed for a recent attack on the Texas Department of Transportation.

Dubbed OSX.EvilQuest, the Mac ransomware was observed being distributed on a Russian torrent link-sharing forum in the form of a downloadable disk image file. This file posed as an installer for the Little Snitch host-based application firewall.

Researchers from Objective-See and Malwarebytes have both reported on the threat [1, 2], with the former crediting K7 Computing researcher Dinesh Devadoss with first tweeting about a OSX.EvilQuest malware sample with a zero-percent anti-virus detection rate and a file name impersonating a Google Software Update program.

"It's not everyday that a new piece of ransomware is uncovered that targets macOs," observed Patrick Wardle, founder of Objective-See, in his company's blog post.

Another variant of the ransomware was found in version of the popular DJ software Mixed In Key 8, an installer for which was also found in the trojanized installer that was distributed on the Russian forum. (Indeed, additional unseen program installers were likely also bundled within the installer package, Reed reported.)

The malware may have a few glitches to sort out, however, reported Thomas Reed, Malwarebytes' director of Mac and mobile, in his own company blog post. For instance, while the malicious Little Snitch installer is supposed to actually deliver a genuine installer for the all firewall, Reed's attempt to run the legit installer failed.

In addition to Little Snitch, the malicious installer installs a malicious executable file called "patch," as well as a post-install script that moves the "patch" file to a location that makes it look as if the executable is related to LittleSnitch. The file is also renamed to CrashReporter so if its activity appears in the computer's Activity Monitor, the user won't be suspicious.

This "patch" executable turns out to be a malicious encryptor designed to impact hard drive files. Both the installer and the executable run with root privileges, if mistakenly granted by the user.

According to Reed, "The malware wasn’t particularly smart about what files it encrypted... It appeared to encrypt a number of settings files and other data files, such as the keychain files. This resulted in an error message when logging in post-encryption."

Users affected by the ransomware might also find other signs of foul play: the Dock resets to its default appear, the Finder struggles or freezes when an encrypted file is selected, and apps may also freeze, Reed reported.

The malware alerts victims of the infection through both a text ransom note and a modal prompt that is audibly spoken using text-to-speech capabilities. In a sample ransom note posted by Objective-See, the malware operators claim to use an AES-256 algorithm to encrypt file, and demand a modest $50 payment in bitcoin to unlock files -- described as a one-time "fixed processing fee" because the decryption process "will require us to use some processing power, electricity and storage on our side." The threat actors tell the victims they have three days to pay or lose their files permanently.

Wardle said his analysis uncovered clues that suggest OSX.EvilQuest is "more than 'just' a simple piece of ransomware." He noted indications that the malware may also include capabilities for keylogging, in-memory code execution, and anti-analysis techniques that likely hides the ransomware's true functionality if the user is likely running a debugger or virtual machine.

Additionally, EvilQuest establishes persistence via launch agent and daemon plist files, uses the function kill_unwanted to thwart security products that could otherwise detect or block its behaviors, and can open a reverse shell to a command-and-control server.

"Armed with these capabilities the attacker can main full control over an infected host!" warned Wardle.

Wardle also took note that ransomware may be interested in files related to digital wallets and cryptography keys, possibly with the intent to exfiltrate them.

Ransom X

Meanwhile, a ransomware attack that bedeviled the Texas Department of Transportation last May is now confirmed to be the work of the previously unknown malicious encryptor known as Ransom X.

Citing analysis from the MalwareHunterTeam and researcher Vitali Kremez, BleepingComputer has reported that Ransom X is yet another human-operated ransomware that relies on attackers specifically targeting and infecting organizations through the abuse of network vulnerabilities and misconfigurations, credential theft and lateral movement techniques.

Ransom X's main target so far: government agencies and enterprises such as the TxDOT, according to the report. It is unknown if the attackers behind the program also steal sensitive data for extortion purposes, as is the m.o. of many human-operated ransomware gangs.

As it encrypts files, Ransom X reportedly appends a custom extension that relates to the specific victim involved (e.g. .exdot for the Texas' DOT attack). Also customized is the ransom note, which contains payment instructions and is dropped into any folder that was scanned during encryption. Adversaries reportedly can view the latest attack information and status on a console, which displays the total number of encrypted files.

Before the encryption Ransom X strategically terminates 289 processes -- some of which pertain to security software, database services, MSP software, remote access tools and email servers, and during encryption it will bypass certain Windows system folders and files, including some which may store the actual ransomware executable. It reportedly also performs commands such as disabling System Restore and the Window Recovery Environment, and deleting Windows backup catalogues and wiping free space from local drives.


Last week, Symantec reported that it was aware of at least 31 customers attacked by WastedLocker, a ransomware that researchers from NCC Group had previously disclosed and attributed to the Evil Corp cybercriminal gang.

"The attackers had breached the networks of targeted organizations and were in the process of laying the groundwork for staging ransomware attacks," said a blog post written by Symantec's Critical Attack Discovery and Intelligence Team, which noted the total number of attacks was "likely much higher."

"Had the attackers not been disrupted, successful attacks could have led to millions in damages, downtime, and a possible domino effect on supply chains," the report continued.

All of the targeted organizations are based in the U.S., and most are major corporations, though the industry sectors they operate in vary, the report noted. Five of the targets operate in the manufacturing space, four in information technology and three in media and telecom.

NCC Group previously reported that WastedLocker targets removable, fixed, shared and remote drives for encryption, ignoring files smaller than 10 bytes as well as any blacklisted directories or extensions.

“Each file is encrypted using the AES algorithm with a newly generated AES key and IV (256-bit in CBC mode) for each file,” the NCC Group blog post said. “The AES key and IV are encrypted with an embedded public RSA key (4096 bits). The RSA encrypted output of key material is converted to base64 and then stored into the ransom note.” This note is created every single time a file is encrypted.

NCC Group also noted that the Evil Corp actors were still relying on one of their tried-and-true distribution methods to infect victims with Cobalt Strike and WastedLocker: They are using the SocGholish malicious framework to trick users into thinking they are downloading browser and Flash updates, when they are actually installing the malware.

Symantec reported that it has discovered "at least 150 different legitimate websites that refer traffic to websites hosting the SocGholish" framework, which is delivered via a zip file. "It is possible that these websites lead to different malware, as such redirection services can be utilized by multiple actors at the same time," the blog post said.

"The attackers behind this threat appear to be skilled and experienced, capable of penetrating some of the most well protected corporations, stealing credentials, and moving with ease across their networks," Symantec concluded in its post. "As such, WastedLocker is a highly dangerous piece of ransomware. A successful attack could cripple the victim's network, leading to significant disruption to their operations and a costly clean-up operation."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.