Rewterz Threat Alert – Updates on ThiefQuest, the Quickly-Evolving macOS Malware

Severity

High

Analysis Summary

Besides the old ThiefQuest variant that has been reported by various researchers, we also discovered some improved variants with stronger capabilities and other changes compared with earlier iterations of the malware. For instance, these new variants seem to emerge only days after the detection of older variants. Notably, previously encountered ransomware behavior, such as file encryption and ransom note dropping, have been removed. These new updates are not called by the main code of the malware, and through further investigation, It is discovered that the authors have implemented a new routine for computing and calling the new functions’ addresses. Other versions of these new variants have even obfuscated the function names to make malware tracing more difficult.

The extract_payload() function loads the embedded (and encoded) payload data from the specified file, where the offset and length of its data are saved at the end of the file. After reading the data, it calls eib_secure_decode to decode the payload data.

The attach_payload() function is the opposite to extract_payload(). It reads payload data from a specified source file, encodes them, and saves the encoded data to a specified target file.

The compress_bundle() function encodes the contents of each file in a bundle and saves them to a specified file. On the other hand, the decompress_bundle() function is the opposite of compresss_bundle(). It loads and decodes bundle files from a specified file.

Impact

• Information theft
• Exposure of sensitive data

Indicators of Compromise

MD5

• 322f4fb8f257a2e651b128c41df92b1d
• fd08e82271e3e54122cb603e268390b2
• 8dfaad76396328ebaff57545667f9a3f

SHA-256

• 92ad2b0220f6903fb5fa48ce411af44a60c06031fee3aa682bd28f3f3fde1eda
• d18daea336889f5d7c8bd16a4d6358ddb315766fa21751db7d41f0839081aee2
• 7292004b57562223fed4ee122a956a8db38349c95d4dd8853b1ebc60ef7508b1
• 5a024ffabefa6082031dccdb1e74a7fec9f60f257cd0b1ab0f698ba2a5baca6b
• f7efda39c80d68db168316732732d04a00fe6fb10f37d1013df1a8a4cde1f68a
• 06974e23a3bf303f75c754156f36f57b960f0df79a38407dfdef9a1c55bf8bff
• 41036e1b78a122e57f2125526d673ffe3358d7323fc577703662740b3e651dcc
• effeeeadfdc3caf523635fcb86581a807f719fa5e322872854499f5270bc0eba
• c5a77de3f55cacc3dc412e2325637ca7a2c36b1f4d75324be8833465fd1383d3
• e69e9dc0d343165aa0f5df942d1b48ddd0337c8a79dcdf40f3c3b490d6e96a78
• bcdb0ca7c51e9de4cf6c5c346fd28a4ed28e692319177c8a94c86dc676ee8e48
• 365a5c72f52de964b8dc134d2fc45f9c73ba045cebd9fd397b1e26fdb11bfec6
• eeac57f7ca9df9199f0346ed9097e9f5482c06214cddc162d1500d15d045b4ed
• 851dfdbffd250523c5c7ff07b29778a04ebd44400b12f23d18a6ee5a3fcfbedc

SHA1

• efbb681a61967e6f5a811f8649ec26efe16f50ae
• bea7589ccc984ac1174d25e3ce6bca3f73ff0680
• 13e598a6c38c7adacc5ab6efd8f10df0a9e2998a

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.