Monday, February 10, 2025
HomeAppleNew Ransomware "EvilQuest" Attacking macOS Users to Encrypts Users Files

New Ransomware “EvilQuest” Attacking macOS Users to Encrypts Users Files

Published on

SIEM as a Service

Follow Us on Google News

A new Mac ransomware strain observed targeting macOS Users through pirated versions of popular mac software shared on popular torrent sites.

Users noted the malicious version of popular software that available for download on a Russian forum that dedicated to sharing piracy software links.

Mac ransomware

The Mac ransomware was first spotted by malware researcher Dinesh Devadoss, that piece of ransomware distributed as a Google software update program based on users commands the malware to be available since 22 June 2020.

The ransomware has zero detections with virus total, all the AV engines marked the application as safe.

Other researchers Thomas Reed, Director of Mac & Mobile at Malwarebytes, and Phil Stokes, macOS security researcher at SentinelOne also investigated the EvilQuest ransomware strain.

Reed who analyzed the malicious version of Little Snitch installer stated that “is attractively and professionally packaged, with a well-made custom installer that is properly code signed.”

The installation process, icons look like the legitimate Little Snitch installer and uninstaller apps, it also runs a shell script once installation completed.

The malware installation process is not much sophisticated, so there below the success rate with the ransomware strain.

Once the malware infection process begins it starts spreading itself around the hard drive and it also set up persistence.

Reed observed, “that files are executed as a part of GoogleSoftwareUpdate which are most commonly found installed due to having Google Chrome installed on the machine.”

Unlike other malware it is not smart enough to encrypt files alone, it also encrypts several settings files and other data files, such as the keychain files.

After infection, if a user tries to log in, it shows the following error with the keychain.

Once the encryption process completed it shows the following ransom notice.

Following are the malware capabilities

  • ransoms your files
  • pops a reverse shell
  • steals your keystrokes
  • executes in-memory payloads

The malware also includes some anti-analysis techniques, if it executed inside the virtual machine, it won’t show it’s full capabilities.

The malware armed with several capabilities allows attackers to gain full control over an infected host.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read

Beware of New Mac Malware Spreading via Poisoned Google Search Results

Blue Mockingbird Hacker Group Attack Windows Machines at Multiple Organizations to Deploy cryptocurrency-mining Malware

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

SHA256 Hash Calculation from Data Chunks

The SHA256 algorithm, a cryptographic hash function, is widely used for securing data integrity...

New Report of of 1M+ Malware Samples Show Application Layer Abused for Stealthy C2

A recent analysis of over one million malware samples by Picus Security has revealed...

Seven-Year-Old Linux Kernel Bug Opens Door to Remote Code Execution

Researchers have uncovered a critical vulnerability in the Linux kernel, dating back seven years,...

Ransomware Payments Plunge 35% as More Victims Refuse to Pay

In a significant shift within the ransomware landscape, global ransom payments plummeted by 35%...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Malicious Android & iOS Apps Downloaded Over 242,000 Times, Stealing Crypto Recovery Keys

A sophisticated malware campaign, dubbed SparkCat, has infiltrated Google Play and Apple’s App Store,...

Apple’s macOS Kernel Vulnerability (CVE-2025-24118) Exposes Users to Privilege Escalation Attacks – PoC Released

A critical privilege escalation vulnerability in Apple's macOS kernel has been revealed, posing a...

Apple Service Ticket Portal Vulnerability Leaks Sensitive Information

Apple, one of the most trusted technology brands in the world, recently faced a...