New EvilQuest Mac Ransomware Discovered In Pirated Apps

A new variant of ‘EvilQuest’ ransomware is spreading through pirated Mac apps. According to Malwarebytes, the ransomware was found embedded in the pirated version of the “Little Snitch app” available on a Russian forum.

The Pirated Little Snitch app

Experts noticed something dubious with the illicit version of Little Snitch app right from the point of download. As it has a generic installer package.

Although, the installer mimics the original version of Little Snitch however an executable file named “Patch” that will get fixed in “/Users/Shared directory“. Along with that, a post-install script is also installed on the machine.

After which, the Patch file gets moved to a new location by the installation script. Next, it gets renamed as CrashReport, which is a legitimate Mac OS process. However, it hides the process from the Activity Monitor.

Further, the Patch file then installs itself in several locations on the Mac.

The ‘EvilQuest’ Ransomware

The EvilQuest ransomware encrypts the data files along with changing settings on the Mac. As it encrypts the files like Keychain files, as a result the user gets an error while trying to access the iCloud Keychain.


Mac Ransomware EvilQuest-keychain

After installation of the script, the Finder was found to malfunctioned. As well as the dock along with other apps will not function properly.

Furthermore, Malwarebytes reports that the ransomware was working poorly. And it was not able to get instructions on paying the ransom.

However, as per a screenshot on the forums suggests that it was asking users to pay $50 to recover their files. Unfortunately, the even if you pay the ransom, you will not get access to the files as there was no option to remove the malware remotely for the hacker.New EvilQuest Mac Ransomware Discovered In Pirated Apps

Malware Also Dropped A Keylogger

Additionally, the malware dropped by the pirated app also installed a keylogger to monitor the keystrokes. However, its functions are still unknown. As well as it is unclear that it is capable to send the keystroke information anywhere or not.

Malwarebytes said, that its software was able to remove the malware from computers running on Mac OS. It detected it as Ransom.OSX.EvilQuest. The only way to get access to the encrypted files is by using a backup to restore them.

Experts Recommend Avoiding Installing Of Pirated Apps

As experts have found similar ransomware in other pirated apps too. Thus, Mac users are advised not to install any pirated apps on their computers.

Please do not visit any untrustworthy website or forum as well. There is always a possibility that you will find malicious applications on such websites or forums that can harm your computer.

Make sure you do not access the emails, files, or attachments from unknown senders. Experts have noticed that during the Covid-19 pandemic. As many actors are posing as official websites and duping people installing malware and viruses. Always make sure to check the sender’s address before downloading any file or clicking on any link.

Better to use a reputable anti-virus program to prevent your Mac from being attacked to such threats.

Although, you can use any reliable anti-virus program of your choice, but here what we recommend:

ComboCleaner Anti-virus- A comprehensive protection for Mac users 

Combo Cleaners LogoCombo Cleaner DOWNLOAD LINK
(The above link will open a new page from where the Combo Cleaner will download)
“EvilQuest” may reinstall itself multiple times if you don’t delete its core files. We recommend downloading Combo Cleaner to scan for malicious programs. This may save your precious time and effort. Combo Cleaner scans the infected PC for free but you need to purchase its full version for complete removal. More information on Combo Cleaner.

Double Check for Malicious Files and Enable Safe Browsing Using Intego Internet Security X9

After removing persistent threat EvilQuest, it is important to safe guard the browser. So that it will prevent connecting to any compromised website initiating the download.

The Intego Internet security X9 not only provides real-time antivirus protection for Macs. But also scans files whenever they’re accessed to keep your Mac free of malware.

It it integrated with “Safe Browsing” feature that configures advanced browser settings that will prevent redirects to malicious or fraudulent sites, fake downloads and warn you if you visit any harmful site.

Intego Safe Browsing

Intego Safe Browsing

For File Recovery, you can use Stellar Mac Recovery Professional software.

More From Unboxhow