Researchers have developed a decryption tool for the recently discovered EvilQuest ransomware program designed to target Mac machines. But several analysts now concur that EvilQuest's malicious encryption may be more of a decoy, while the program's true purpose appears to be data exfiltration.
In a new blog post this week, Thomas Reed, director of Mac and mobile at Malwarebytes, backed up an earlier conclusion by BleepingComputer that EvilQuest should be classified more as an information stealer and wiper that attempts to hide its data thievery through misdirection.
Additionally, Mac security company Objective-See has similarly reported that the malware is more than meets the eye, and "far more powerful and insidious" than any "mundane ransomware."
Multiple analyses of EvilQuest have found that aside from encrypting files, the malware includes capabilities for keylogging, in-memory code execution, anti-analysis techniques and installing a reverse shell for remotely executing commands. But most notable is a Python script that reportedly searches for particular file formats in the /Users folder, encodes these files using base64 and sends them and their paths to a command-and-control server. BleepingComputer reports that these files include images, Word documents, SSL certificates, code-signing certificates, source code, projects, spreadsheets, databases, crypto wallets and more.
The ransomware component, meanwhile, might simply be a disruptive form of window dressing intended to trick victims.
"We definitely think the goal is more to hide evidence rather than being a real ransom," said Reed in an interview with SC Media. "If the attacker were doing this for purely destructive purposes, they would not likely go to the effort of writing all the other code, and could have done a better job of destroying data."
Even if the encryption isn't fully effective at damaging a victim's files, it may be enough to conceal that data exfiltration took place. "In theory, the first thing someone is likely to do after getting hit with ransomware is wipe the machine and restore from backup. This means they'd never know about the data exfiltration," Reed continued. "I don't know whether that's a better outcome than silent exfiltration that goes completely unnoticed, though."
Because of its info-stealing capabilities, and to avoid confusion with an unrelated video game called EvilQuest, BleepingComputer and Malwarebytes have instead begun referring to the malware as ThiefQuest. According to the research firms, there were several clues that EvilQuest/ThiefQuest's creators weren't too heavily interested in the malicious encryption component. Certainly, one of them is the fact that researchers at SentinelLabs were able to produce a decryption tool relatively easily.
In its own company blog post, SentinelOne reported that EvilQuest's developers opted for symmetric key encryption, and according to research lead Jason Reaves, “…the clear text key used for encoding the file encryption key ends up being appended to the encoded file encryption key. Taking a look at a completely encrypted file shows that a block of data has been appended to it.”
It was this discovery that enabled SentinelOne to devise a decryptor.
"The encryption really wasn't very strong. It was RC2, which was designed back in the '80s and is vulnerable to some known methods for cracking it," Reed told SC Media. "Further, the encryption key was appended to the end of each file. So this is definitely further info that supports the theory that the ransom is only a cover."
"Crypto is hard, and about the one thing everyone who is smart enough to do it will tell you is this: don’t try and roll your own, because you will inevitably do it wrong," explained the SentinelOne blog post, authored by threat researcher Phil Stokes. "Successful ransomware operators are smart enough to follow that advice and will use established encryption algorithms, typically with at least some component being asymmetric."
But if the ransomware component is a ruse -- a distraction -- then it doesn't have to be entirely effective.
Indeed, Stokes opined that EvilQuest, as ransomware, "fails pretty much on any measure of success," but as a complete malware, it is "one of the more complex threats to be seen so far targeting the Mac platform."
Other clues that EvilQuest's true end game was not malicious encryption: the ransom note only asks for a paltry sum of $50, there was no attacker email address to contact for extortion payment purposes, and the malicious actors provided the same Bitcoin wallet address to every victim, which would make it impossible for the adversaries to see who paid and who didn't.
One additional distinct characteristic of EvilQuest -- noted by Patrick Wardle, founder of Objective-See -- is that it fits the definition of a true virus, in that it can replicate itself by inserting code into and modifying executables or apps on an infected machine, in automated fashion. Malwarebytes noted that this is "something that has not been seen on Macs since the change from System 9 to Mac OS X 10.0."
"We definitely believe that the malware is still a work in progress, as there are two distinct variants with minor differences," said Reed. "We won't be surprised to see this continue to be developed, although this early detection may also cause a setback for the attacker."