“Evilquest” may be the first virus for Mac in over 20 years

The recently discovered malware program Evilquest, or Thiefquest as it is also called, includes a feature that encrypts your files and tries to trick you into sending bitcoin to the fraudsters who spread it.

The only problem is that there is no feature to actually unlock the files after paying the villains. The few affected users who have paid have not recovered their files, and the security researchers who have rooted in the program have not found any built-in decryption method.

Researchers at Sentinelone have examined the encrypted files and discovered that the files themselves contain their encryption keys, making it an easy thing to decrypt them. The company has already released a small one freeware which restores all files that have been encrypted by Evilquest.

Malwarebytes has researched the program more deeply and reports that the whole extortion function can in fact be a distraction to divert attention from the real goal: stealing data.

The malware sometimes downloads a python script that goes through the entire home folder and uploads a long line of files to the control server, completely unencrypted.

Patrick Wardles Further studies of the malware show that it also appears to be the first regular virus for Mac since Mac OS X was released nearly 20 years ago.

Once the program has installed itself on the Mac, it runs a process that looks up all executable files in the affected home folder and adds a new bit of malicious code to the beginning of the file which will then run every time that file is run. The code can then spread the malware to new files and continue the infection.

The definition of a virus is malicious code that spreads by infecting existing files, which is exactly what Evilquest / Thiefquest does.

The damage program has many broken pieces and features that do not seem to work exactly as it was intended, so Malwarebytes speculates that a version of it began to be used before it was fully developed.

Those who have suffered, according to Patrick Wardle, do their best to completely reinstall Mac OS, for example, by recovering from a clone backup done before the computer was infected. Before anyone has developed a program that can find and remove the malicious code from all infected files, it is not enough to just delete the malicious program itself.