EvilQuest Ransomware laden with a keylogger Attacks macOS

Ransomware intended only for MacOS systems only is rather rare. EvilQuest is an example of this nasty malware targeting Apple. It encrypts data, and, to make the matters worse, it is laden with a keylogger.

According to a security researcher Patrick Wardle, EvilQuest is only the third ransomware strain that targets exclusively OSX computers. The other two are KeRanger and Patcher.

What is more, EvilQuest is two-in-one, so to speak. First, this pest is a classic ransomware: once executed, it encrypts data and the user is informed about this by means of a text popup. But that isn't all. After the encryption process ends, this ransomware installs a keylogger to record all user's keystrokes.

Also, a reverse shell is set up in the system. It enables the attacker to connect to the infected host to execute pre-defined commands. As a result, EvilQuest finds and steals files typical for cryptocurrency wallet applications.

The analysis of possible ways of infection was originally made public on June 29 by Dinesh Devadoss, a security researcher. This study suggests that most likely EvilQuest has been distributed since the beginning of June. According to the study, “EvilQuest is hiding in pirated macOS software that has been uploaded to torrent portals and online forums.”

Among the software, which different security researchers blame for being infested with the malware, are: “Google Software Update”, the macOS security tool Little Snitch, and pirated copies of the DJ software “Mixed In Key”.

Researchers suspect that there are many other apps which currently contain this pest. Also, the software relies on users' being careless and not paying attention to an installation warning. Patrick Wardle noted that “macOS users who attempt to pirate software may ignore this warning.”