• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Phishing Emails Containing Calendar Invitations
July 1, 2020
Rewterz Threat Alert – Zeppelin Ransomware – IoCs
July 1, 2020

Rewterz Threat Alert – EvilQuest Wiper Uses Ransomware Cover to Steal Files From Macs

July 1, 2020

Severity

High

Analysis Summary

Impersonating as Google Software Update program, EvilQuest wiper is found targeting MacOS, with almost zero detection. This new piece of macOS ransomware was found in pirated versions of popular macOS software, shared on popular torrent sites. This method of infection is common and at least at some level successful. It encrypts files and leaves a ransom note. 

Image

The .txt files when opened, looks like this:

Image

It appears to handle tasking from a command and control server (andrewka6.pythonanywhere[.]com). Such tasking includes: 

  • executing command 
  • starting the keylogger 
  • executing a module directly out of memory

Armed with these capabilities, the attacker can gain full control over an infected host!

Impact

  • Files Encryption
  • Remote code execution
  • Credential theft
  • Information theft
  • System compromise

Indicators of Compromise

Domain Name

  • andrewka6[.]pythonanywhere[.]com

MD5

  • 777424b278bc6bb4edcecb82dfbcb37d
  • 17bfc2fc9dce7254fea0bb86c085c52b
  • 9291a3ec715f82ac2ef1545b64e1e51c
  • b836f7795e946f8e61185e844151c905
  • a2539ab3e8a30bd4b19b0614b5da04ce
  • aba3b585dd22d0e1d65ed87fe349b7e1
  • 0e1c274aa0f487d6262e5d2bb4830229
  • a22e2da6f3ec7f9ddf5f3f8bb8325aeb
  • d2d4c05889be06d1772b19f6ddbfc9f6
  • a8440c256c6dc84f93a71b31412c6a9e
  • 295c6945ef3b9cad6ff37c5510b14627
  • eeebec8b56565a7758f4dbd00ddf4180
  • 569b651ec08732c185ed068d81877cf4
  • c73e33f13481252ec81486cb9e90719c
  • eb7cc7cb70d8946f4b25610ca1ba623d
  • f4368984793e7ab58357c4f675a84366
  • 1e23accebc583eb7be178feabdb826d0
  • 43778d3799840872349146c87b247396

SHA-256

  • a215dc148ff217dfcdfdb93521dfda34a02db3145b2075ddb1fae5bf02223b08
  • d0fedd9bd2cf05e0ee71af4c54649058a93a10dfff08c015e273b02e48b93af0
  • ab0f58f35451e95ec8b3f15dbd0a480f97e263708975f41867e3c91978ff7f48
  • ad24d8c5ce6e6ef10755dd83a24f13d7d1b42109ff570c3d98fc6a730d452f45
  • 511731ff2e08ac1b1de0ca719f3500b2902d7670dd2b2d5b72b3cae847ab42c8
  • e361f8adefa02488cceadf7c490784c9da9a9b569d14c4259c12559c1cf223f1
  • bc4385e99c66cbcc08ce79bb29e34519a34c1b43546dfdbe9427e899508b2d26
  • 1553d8756ce7af3c97291a589fc767b65e0f89940ada15e838243fe292901f42
  • 33cecccbe3775e37ae09df298ba21082544164fa8cb32cdda05bfa8e54faa890
  • 6b51992fa3dd5ca2525375c9fb2eaa032f031f866fd227a8a524e39d12d5e35e
  • 7f149c27e7dc4dfd5f25fd93793dde96e711060881bdfbdd33f8cfdf12674093
  • 993045d0a624e821640576570f0d5d2f3693efbd10115f9fb1d3f9ed91764073
  • 8159fe10644fad806ddd10bca72efb709b887fed129d123e9772dc99290691c7
  • b94ba5a22f2c203224b51c15a546b049a10681904e9e47e84cdd321bedd78bd9
  • b2c02f25fdc19bdf994fd1f212a67d3e4fb4433c18af90ac9306c7f97c2d89f1
  • 7d5d69c9b9d55da16212b71ab1b69e96f3003c4ef1b0319d5cbcfaeef26948ed
  • 17e7883fe9581407529f58472fb1a79d844cc742e5f1454197450b71ff033e16
  • 1597e79b7c1783791c96f92cc5a09a0deff7ec682851a881a7e4f4a0c5803309
  • 9a509533b5dcd3185c3979b73f5861956a9cc83c16aaa505cb624342cde6ad8e
  • 79ce6f9265622d499eb9676a544cfda2cebc14ed9c0131c49cf6e8fa80c4994d
  • e0ca6e395499421bc43a41c625e882df76b90edda3652969d5c28175d076a5f3
  • d3cd4ae4fa3e760ad3e9495d73cdd0c2699536c5c10f9add84b948730fb1648f
  • 81a8050810975fdfcd93f2f0dbcf4c0ee0cda48851a0e56a693b2077b4677a4c
  • f5eefed38002d83a9c1f5d993afeba3c358dd1a67272ab3f171e24d5ed894da8
  • 91e98e8db0c3443b76ce9358192086d19f6a917820f4e9bd6daf6fd6668eea01
  • e1528e284555637fe769177dab7e45ea6292d807448a28be2c465ad245bba428
  • 9f590f8661c7c1a0609d77fa553b127ccf1a441cfc02a8656a15b35e53b62044
  • fc1450d3df4d99fff2d51e555d829a11b17815d82cb9bba04ec5a32db7cd3e26
  • 567a82e21b6b1181def9f254d9af1fa80fb7667db48298989fc7b5a0576cb9de
  • 7aa2117be248cdfd46dcf6756fa9dd3d210f71e2254a83d6337c9f102d7100d3
  • 51ee1acbf13ac079aeb9749c7feb12f8fa87378d6a2ac94a7c54d7862c8a5563
  • 8bf0a31e8c66d353eafa10b862bf58a1974202544e4a5d5a843501b16aa74e8d
  • a17d1c6c520f6f4fa1eb9a4411ad37853c946f3870eba8cc4ef3de71c184eeb3
  • 03145f98fa416cea6a6fb2e8705fa9a25c70c79e8792dc40c10a62f0f9b4dea8
  • 54106c44a7f55a673e9afd9b4415f2a372be49f62f2b1ff3e1196a35fbd0aeef
  • 375b8f459c4fe9b3b0a102698578db921914deafec47c7c064ed779a41d0dbc9
  • 81daa16a5653573117b94b49d657cdf32d9b88dcb891df3573581bb7478d096b
  • 2479f5c4b8c44784ac5c603dadd5fad4ad1b80a8a6198aaf4913a2d1a59e8b01
  • 333d13d5d4e6886848640880a8a9abe8d8f5045d116bbaf6bd328f43a8529c00
  • 3af8dec60474c1f1c47026ea1aa87f3dc25329d69eed92cbdac95ecabd30e87d
  • 45368be16794ebd47ec7b5bf1607eb9d3281ce7101715a1b99b3d50806f090dd
  • fc1ee4df3f52cc7d1bbd185beba983a398a4f5f990c4b1f6758e52f34a13024c
  • b24dd25b42e82a9b4a3fedf05913a4318154e6b04d7e54510f9d3dcf4c8d3438
  • 2ce315aa047239222ede240df7b847f7b5070e792a39d3db148669a4fc07afa8
  • 1a8f442575df82083507e18112198b3f7e51c4f5095ba96197468a9d4fca2ffd
  • 46d75230716fd873f98c1c28e814ad2576b173bd4b23e44d794091536adb7adb
  • a36f63c0ce79bdf4dc74575f26611ff91b4448784e9a5b62f0414eb3e36bf42d
  • d43291684d6412f537d7f2001c21ad58313643a3556b730c287aed2015624a31
  • 8e37e7c4995235301ce093557f3b0c9eafcc887469eae10d1356e936a18808ed
  • f409b059205d9a7700d45022dad179f889f18c58c7a284673975271f6af41794
  • b852b2c6b389e3176ceac9549c7d061aa6308f34022a24324dc44f8c39c35f04
  • 851ce39495677eb52b5b7ceeeb769aacd9e4de90972a2e3fc51335b954d13aa0
  • 07677fcec0276f6108f0a6288b9b12a75025d723b3ee7d494623a998883782f8
  • 2a88b8206d7669791a7135c53d0ba7d2bc4d1da9a9972015bd0a1bde3cc9bbbd

SHA1

  • 769e510c4d2aeca1a5969381355bb89808cd65fd
  • 3d1993fb2ed8b33be17273b5c98394128bde5337
  • f095b7df03f545db8ce7f1d931bf524c8d742c60
  • 8f8a39f3386120d5fb25f2b7cad224fa5610890c
  • 134e4e59c2f3aa22a51a40072e101fa1cf7825e9
  • ba219ad16e48c79082067bf51881ecf028961f35
  • 967f336bdde9c8f22a193ff3172cc50298584fb7
  • bd4fa58168569155d8f837c5ef01b6f4408921ec
  • d3ef5e2831ad52946e42f9a1a0dd31e9c2ceccd3
  • b1fe8010fc1d27c647b735d6b07279a05b2a8c4b
  • 7463479f9aea3d8edc4b012df1012aadc262a9e6
  • 8914731f5447553828c6da20cf1fd6cb30fb5718
  • 082f393df9ba4bfb73de1b142ecdec0003778e8f
  • 456ece6d19bdef0b2db446a67631eb8a734e286d
  • 08f20a7cb4af29ba8b7ab5476a08132c1e5b29ea
  • 893f0ae5bde30d536d71150a534b3063d5708d8c
  • a4c9a1a2dc8ffb6746e63c8ddb6632cc9c104e3a
  • 36ec7e81fa89d72e1c4d942a264344b7577f7172

Source IP

  • 167[.]71[.]237[.]219

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download software from unauthentic sources.
  • Keep all systems and software updated to latest patched versions. 

  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.