New Mac malware found lurking on pirate sites

  • Apple
  • Friday, 03 Jul 2020

New Mac malware, ThiefQuest, camouflages itself on torrent sites to trick those downloading pirated software into installing it. — Bloomberg

Security researchers have discovered a malware that targets Mac users, which is likely to affect those who use pirate sites.

Cybersecurity firm K7 Lab’s malware researcher Dinesh Devadoss tweeted his findings about the Mac malware, dubbing it ThiefQuest.

Wired reported that in addition to being ransomware, ThiefQuest also doubled as spyware, being able to exfiltrate files, search for passwords and cryptocurrency wallet data, and use a keylogger to record users’ typing to discover passwords, credit card numbers and other sensitive information.

Ransomware works by restricting a user from accessing their computer or specific valuable files, until they pay the ransom. Meanwhile spyware tracks users’ activity on a computer, tracking keystrokes or even recording their activity using the web camera.

Cybersecurity firm Malwarebytes director (Mac and mobile platforms) Thomas Reed said ThiefQuest was being distributed on torrent sites bundled with name-brand software.

However, the researchers found it did not have a significant number of downloads yet nor has anyone paid a ransom to the Bitcoin address the attackers provided.

They note that users would need to torrent a compromised installer then dismiss the warnings by their Mac in order to run it.

This meant the malware was likely to hit those who download unvetted software and ignore their own device’s warnings.

Mac management software Jamf principal security researcher Patrick Wardle said the malware’s purpose was also confusing as the ransomware and spyware features sometimes got in each other’s way.

He explained that spyware would usually try to go undetected so it could discover as much as possible about its victim.

However, ransomware has to announce itself in order to demand a ransom, which would put the victim on the alert and likely not use the computer further. This in turn reduces the spyware’s access to the victim and thus affect its ability to spy on them.

Wardle said the malware was also able to survive the computer being rebooted and would continue to create a backdoor to the infected device, making the computer vulnerable to other future cyberattacks.

"My current gut feeling about all of this is that someone basically was designing a piece of Mac malware that would give them the ability to completely remotely control an infected system. And then they also added some ransomware capability as a way to make extra money," he said.

Apple declined to comment on Wired’s story.

Article type: free
User access status:

Did you find this article insightful?


Across the site