On Sunday 28 June , K7 Lab ’s malware researcher Dinesh Devadoss wrote on Twitter about a new malware programme that is not yet being detected by any antivirus engine . The Malware was initially appoint EvilQuest but has since been rename ThiefQuest to head off confusion with the game EvilQuest .

macOS#ransomwareimpersonating as Google Software Update program with zero detection .

MD5 : 522962021E383C44AFBD0BC788CF6DA3 6D1A07F57DA74F474B050228C6422790 98638D7CD7FE750B6EAB5B46FF102ABD@philofishal@patrickwardle@thomasareedpic.twitter.com/r5tkmfzmFT

Thomas Reed ofMalwarebytesdiscovered that the malicious code had been spread in pirated Mac programs on a Russian violent stream assembly Rutracker . Most notably it has been found in an infected copy of Little Snitch – a program that , ironically , is commonly used to protect users from malicious bodily process . Evilquest has also been found in DJ software Mixed In Key 8 and a Google Software Update .

Article image

The program installs itself in several seat in the arrangement and assay to obliterate behind names like “ com.apple.questd ” and “ CrashReporter ” . If you put in it on your figurer it will commence write in code files . Some time later you will see a blackmail subject matter asking for $ 50 bitcoin to decrypt your Indian file .

accord to enquiry by Reed , the computer software installs a licit version of Little Snitch and at the same time load up an executable file “ temporary hookup ” that installs the actual malware . After installing there will be a delay of three twenty-four hours so that the substance abuser does not associate any problems with the just installed computer program . Then after three days have passed the malware began to encrypt files and after that it will demand a ransom . Reed also establish tincture of a keylogger that registers all keystroke .

However , it seems that the malware does n’t in reality crop that well . The surety researcher report that problem occur during instalment . He also hint that the author of the malware are not very conversant with the Mac file social structure , because keychain datum and setting data point were also encrypted , which lead to prominent alert message . Forum users reported that they received the ransom note , but Reed actually break down to get his variance of the malware to play .

It is potential that the reason why Reed was ineffectual to get the malware to run was because it wo n’t unravel if it is it detects that it is being race on a security testing environment – such as being installed on a practical political machine . It also wo n’t run if it detects that there are security tools or antivirus programme unravel on the computer . However , it also seems that the code is designed to cover sure lineament while make others visible .

There are a few theories about why this is the compositor’s case . One theory , put frontwards byBleeping Computer ,   is that the ransomware element of this malware is actually a decoy for its genuine determination . “ We believe that the ransomware is only a decoy for the dead on target aim of this malware ” , according to the surety expert at Bleeping Computer .

It is think that the malware take off by stealing files from your computing machine before it sets about encipher your system . The ransomware demand seems to be more of an afterthought . In fact , the   demand that the user compensate $ 50 in bitcoins means that there would be no style to prove that you had paid as bitcoin is anon. . Nor is there an email destination to liaise with the blackmailers .

plain some Python scripts hidden in the malware hunting for files such as Word , Pages , SSL certificates , and then imitate them to a remote server . The lean of searched data extensions looks include text edition files , images , Word papers , SSL certificates , code - signing certificates , root code , projects , championship , spreadsheets , display , databases , and cryptocurrency pocketbook , including :

.pdf , .doc , .jpg , .txt , .pages , .pem , .cer , .crt , .php , .py , .h , .m , .hpp , .cpp , .cs , .pl , .p , .p3 , .html , .webarchive , .zip , .xsl , .xslx , .docx , .ppt , .pptx , .keynote , .js , .sqlite3 , .wallet , .dat

What to do

Obvioulsy the best way to protect yourself from this and other malware is to only download software from a lawful source . Ideally only download from the Mac App Store . break that verify that the site is that of the developer . Luckily Apple has a routine of measure built in to make it difficult to install software that is n’t from a recognised developer , but it is possible to get around these ( and malware has been screw to walk people thought the necessary steps to do so ) .

Bleeping Computer suggests you could install Wardle ’s freeRansomWhereutility , which detect ThiefQuest .

We have this guide towhat to do if you know a ransomware attack here .

If you ’re looking for AV buying advice , read our roundup of theBest Mac antivirusandDo Macs get viruses ? ; general advice can be bump in ourMac security tips ; and those who consider they have been gain by a virus should tryHow to remove Mac virus . We also have a fulllist of Mac viruses here .

Parts of this clause were transform fromMacworld SwedenandMacweltby Karen Haslam .