Severity
High
Analysis Summary
Impersonating as Google Software Update program, EvilQuest wiper is found targeting MacOS, with almost zero detection. This new piece of macOS ransomware was found in pirated versions of popular macOS software, shared on popular torrent sites. This method of infection is common and at least at some level successful. It encrypts files and leaves a ransom note.
The .txt files when opened, looks like this:
It appears to handle tasking from a command and control server (andrewka6.pythonanywhere[.]com). Such tasking includes:
executing command starting the keylogger executing a module directly out of memory
Armed with these capabilities, the attacker can gain full control over an infected host!
Impact
Files Encryption Remote code execution Credential theft Information theft System compromise
Indicators of Compromise
Domain Name
andrewka6[.]pythonanywhere[.]com
MD5
777424b278bc6bb4edcecb82dfbcb37d 17bfc2fc9dce7254fea0bb86c085c52b 9291a3ec715f82ac2ef1545b64e1e51c b836f7795e946f8e61185e844151c905 a2539ab3e8a30bd4b19b0614b5da04ce aba3b585dd22d0e1d65ed87fe349b7e1 0e1c274aa0f487d6262e5d2bb4830229 a22e2da6f3ec7f9ddf5f3f8bb8325aeb d2d4c05889be06d1772b19f6ddbfc9f6 a8440c256c6dc84f93a71b31412c6a9e 295c6945ef3b9cad6ff37c5510b14627 eeebec8b56565a7758f4dbd00ddf4180 569b651ec08732c185ed068d81877cf4 c73e33f13481252ec81486cb9e90719c eb7cc7cb70d8946f4b25610ca1ba623d f4368984793e7ab58357c4f675a84366 1e23accebc583eb7be178feabdb826d0 43778d3799840872349146c87b247396
SHA-256
a215dc148ff217dfcdfdb93521dfda34a02db3145b2075ddb1fae5bf02223b08 d0fedd9bd2cf05e0ee71af4c54649058a93a10dfff08c015e273b02e48b93af0 ab0f58f35451e95ec8b3f15dbd0a480f97e263708975f41867e3c91978ff7f48 ad24d8c5ce6e6ef10755dd83a24f13d7d1b42109ff570c3d98fc6a730d452f45 511731ff2e08ac1b1de0ca719f3500b2902d7670dd2b2d5b72b3cae847ab42c8 e361f8adefa02488cceadf7c490784c9da9a9b569d14c4259c12559c1cf223f1 bc4385e99c66cbcc08ce79bb29e34519a34c1b43546dfdbe9427e899508b2d26 1553d8756ce7af3c97291a589fc767b65e0f89940ada15e838243fe292901f42 33cecccbe3775e37ae09df298ba21082544164fa8cb32cdda05bfa8e54faa890 6b51992fa3dd5ca2525375c9fb2eaa032f031f866fd227a8a524e39d12d5e35e 7f149c27e7dc4dfd5f25fd93793dde96e711060881bdfbdd33f8cfdf12674093 993045d0a624e821640576570f0d5d2f3693efbd10115f9fb1d3f9ed91764073 8159fe10644fad806ddd10bca72efb709b887fed129d123e9772dc99290691c7 b94ba5a22f2c203224b51c15a546b049a10681904e9e47e84cdd321bedd78bd9 b2c02f25fdc19bdf994fd1f212a67d3e4fb4433c18af90ac9306c7f97c2d89f1 7d5d69c9b9d55da16212b71ab1b69e96f3003c4ef1b0319d5cbcfaeef26948ed 17e7883fe9581407529f58472fb1a79d844cc742e5f1454197450b71ff033e16 1597e79b7c1783791c96f92cc5a09a0deff7ec682851a881a7e4f4a0c5803309 9a509533b5dcd3185c3979b73f5861956a9cc83c16aaa505cb624342cde6ad8e 79ce6f9265622d499eb9676a544cfda2cebc14ed9c0131c49cf6e8fa80c4994d e0ca6e395499421bc43a41c625e882df76b90edda3652969d5c28175d076a5f3 d3cd4ae4fa3e760ad3e9495d73cdd0c2699536c5c10f9add84b948730fb1648f 81a8050810975fdfcd93f2f0dbcf4c0ee0cda48851a0e56a693b2077b4677a4c f5eefed38002d83a9c1f5d993afeba3c358dd1a67272ab3f171e24d5ed894da8 91e98e8db0c3443b76ce9358192086d19f6a917820f4e9bd6daf6fd6668eea01 e1528e284555637fe769177dab7e45ea6292d807448a28be2c465ad245bba428 9f590f8661c7c1a0609d77fa553b127ccf1a441cfc02a8656a15b35e53b62044 fc1450d3df4d99fff2d51e555d829a11b17815d82cb9bba04ec5a32db7cd3e26 567a82e21b6b1181def9f254d9af1fa80fb7667db48298989fc7b5a0576cb9de 7aa2117be248cdfd46dcf6756fa9dd3d210f71e2254a83d6337c9f102d7100d3 51ee1acbf13ac079aeb9749c7feb12f8fa87378d6a2ac94a7c54d7862c8a5563 8bf0a31e8c66d353eafa10b862bf58a1974202544e4a5d5a843501b16aa74e8d a17d1c6c520f6f4fa1eb9a4411ad37853c946f3870eba8cc4ef3de71c184eeb3 03145f98fa416cea6a6fb2e8705fa9a25c70c79e8792dc40c10a62f0f9b4dea8 54106c44a7f55a673e9afd9b4415f2a372be49f62f2b1ff3e1196a35fbd0aeef 375b8f459c4fe9b3b0a102698578db921914deafec47c7c064ed779a41d0dbc9 81daa16a5653573117b94b49d657cdf32d9b88dcb891df3573581bb7478d096b 2479f5c4b8c44784ac5c603dadd5fad4ad1b80a8a6198aaf4913a2d1a59e8b01 333d13d5d4e6886848640880a8a9abe8d8f5045d116bbaf6bd328f43a8529c00 3af8dec60474c1f1c47026ea1aa87f3dc25329d69eed92cbdac95ecabd30e87d 45368be16794ebd47ec7b5bf1607eb9d3281ce7101715a1b99b3d50806f090dd fc1ee4df3f52cc7d1bbd185beba983a398a4f5f990c4b1f6758e52f34a13024c b24dd25b42e82a9b4a3fedf05913a4318154e6b04d7e54510f9d3dcf4c8d3438 2ce315aa047239222ede240df7b847f7b5070e792a39d3db148669a4fc07afa8 1a8f442575df82083507e18112198b3f7e51c4f5095ba96197468a9d4fca2ffd 46d75230716fd873f98c1c28e814ad2576b173bd4b23e44d794091536adb7adb a36f63c0ce79bdf4dc74575f26611ff91b4448784e9a5b62f0414eb3e36bf42d d43291684d6412f537d7f2001c21ad58313643a3556b730c287aed2015624a31 8e37e7c4995235301ce093557f3b0c9eafcc887469eae10d1356e936a18808ed f409b059205d9a7700d45022dad179f889f18c58c7a284673975271f6af41794 b852b2c6b389e3176ceac9549c7d061aa6308f34022a24324dc44f8c39c35f04 851ce39495677eb52b5b7ceeeb769aacd9e4de90972a2e3fc51335b954d13aa0 07677fcec0276f6108f0a6288b9b12a75025d723b3ee7d494623a998883782f8 2a88b8206d7669791a7135c53d0ba7d2bc4d1da9a9972015bd0a1bde3cc9bbbd
SHA1
769e510c4d2aeca1a5969381355bb89808cd65fd 3d1993fb2ed8b33be17273b5c98394128bde5337 f095b7df03f545db8ce7f1d931bf524c8d742c60 8f8a39f3386120d5fb25f2b7cad224fa5610890c 134e4e59c2f3aa22a51a40072e101fa1cf7825e9 ba219ad16e48c79082067bf51881ecf028961f35 967f336bdde9c8f22a193ff3172cc50298584fb7 bd4fa58168569155d8f837c5ef01b6f4408921ec d3ef5e2831ad52946e42f9a1a0dd31e9c2ceccd3 b1fe8010fc1d27c647b735d6b07279a05b2a8c4b 7463479f9aea3d8edc4b012df1012aadc262a9e6 8914731f5447553828c6da20cf1fd6cb30fb5718 082f393df9ba4bfb73de1b142ecdec0003778e8f 456ece6d19bdef0b2db446a67631eb8a734e286d 08f20a7cb4af29ba8b7ab5476a08132c1e5b29ea 893f0ae5bde30d536d71150a534b3063d5708d8c a4c9a1a2dc8ffb6746e63c8ddb6632cc9c104e3a 36ec7e81fa89d72e1c4d942a264344b7577f7172
Source IP
Remediation
Block the threat indicators at their respective controls. Do not download software from unauthentic sources. Keep all systems and software updated to latest patched versions.