ThiefQuest

ThiefQuest is a virus, data stealer, and wiper that presents itself as ransomware targeting macOS systems. ThiefQuest was first seen in 2020 distributed via trojanized pirated versions of popular macOS software on Russian forums sharing torrent links.[1] Even though ThiefQuest presents itself as ransomware, since the dynamically generated encryption key is never sent to the attacker it may be more appropriately thought of as a form of wiper malware.[2][3]

ID: S0595
Associated Software: MacRansom.K, EvilQuest
Type: MALWARE
Platforms: macOS
Version: 1.1
Created: 19 March 2021
Last Modified: 05 October 2021

Associated Software Descriptions

Name Description
MacRansom.K

[4]

EvilQuest

[1]

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

ThiefQuest uploads files via unencrypted HTTP. [2][3]

Enterprise T1059 .002 Command and Scripting Interpreter: AppleScript

ThiefQuest uses AppleScript's osascript -e command to launch ThiefQuest's persistence via Launch Agent and Launch Daemon. [5]

Enterprise T1554 Compromise Client Software Binary

ThiefQuest searches through the /Users/ folder looking for executable files. For each executable, ThiefQuest prepends a copy of itself to the beginning of the file. When the file is executed, the ThiefQuest code is executed first. ThiefQuest creates a hidden file, copies the original target executable to the file, then executes the new hidden file to maintain the appearance of normal behavior. [2][3]

Enterprise T1543 .001 Create or Modify System Process: Launch Agent

ThiefQuest installs a launch item using an embedded encrypted launch agent property list template. The plist file is installed in the ~/Library/LaunchAgents/ folder and configured with the path to the persistent binary located in the ~/Library/ folder.[5]

.004 Create or Modify System Process: Launch Daemon

When running with root privileges after a Launch Agent is installed, ThiefQuest installs a plist file to the /Library/LaunchDaemons/ folder with the RunAtLoad key set to true establishing persistence as a Launch Daemon. [5]

Enterprise T1486 Data Encrypted for Impact

ThiefQuest encrypts a set of file extensions on a host, deletes the original files, and provides a ransom note with no contact information.[2]

Enterprise T1041 Exfiltration Over C2 Channel

ThiefQuest exfiltrates targeted file extensions in the /Users/ folder to the command and control server via unencrypted HTTP. Network packets contain a string with two pieces of information: a file path and the contents of the file in a base64 encoded string.[2][3]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

ThiefQuest hides a copy of itself in the user's ~/Library directory by using a . at the beginning of the file name followed by 9 random characters.[5]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

ThiefQuest uses the function kill_unwanted to obtain a list of running processes and kills each process matching a list of security related processes.[5]

Enterprise T1105 Ingress Tool Transfer

ThiefQuest can download and execute payloads in-memory or from disk.[2]

Enterprise T1056 .001 Input Capture: Keylogging

ThiefQuest uses the CGEventTap functions to perform keylogging.[6]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

ThiefQuest prepends a copy of itself to the beginning of an executable file while maintaining the name of the executable.[2][3]

Enterprise T1106 Native API

ThiefQuest uses various API to perform behaviors such as executing payloads and performing local enumeration.[2]

Enterprise T1057 Process Discovery

ThiefQuest obtains a list of running processes using the function kill_unwanted.[5]

Enterprise T1620 Reflective Code Loading

ThiefQuest uses various API functions such as NSCreateObjectFileImageFromMemory to load and link in-memory payloads.[2]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

ThiefQuest uses the kill_unwanted function to get a list of running processes, compares each process with an encrypted list of "unwanted" security related programs, and kills the processes for security related programs.[5]

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

ThiefQuest uses a function named is_debugging to perform anti-debugging logic. The function invokes sysctl checking the returned value of P_TRACED. ThiefQuest also calls ptrace with the PTRACE_DENY_ATTACH flag to prevent debugging.

.003 Virtualization/Sandbox Evasion: Time Based Evasion

ThiefQuest invokes time call to check the system's time, executes a sleep command, invokes a second time call, and then compares the time difference between the two time calls and the amount of time the system slept to identify the sandbox.[5]

References