Back in 2016, ransomware attacked a Mac computer for the first time. Since then, there hasn’t been a large amount of ransomware attacks tailored toward Mac’s specifically – until now. Malware researcher Dinesh Devadoss of K7 Lab, discovered a new Mac ransomware called ThiefQuest.

In addition to becoming a threatening ransomware threat to Mac computers, ThiefQuest has spyware capabilities too, that allow it to extract files from the infected machine, search the computer for passwords and also look for cryptocurrency wallet data. ThiefQuest also can run a keylogger to steal sensitive information such as passwords, credit card numbers, or other financial information typed in by the user. The spyware portion of the threat also can stay on an infected computer even after it is rebooted, which can be used to set up additional attacks.

Patrick Wardle, principal security researcher at the Mac management firm Jamf says, “Looking at the code, if you split the ransomware logic from all the other backdoor logic the two pieces completely make sense as individual malware. But compiling them together you’re kind of like what? My current gut feeling about all of this is that someone basically was designing a piece of Mac malware that would give them the ability to completely remotely control an infected system. And then they also added some ransomware capability as a way to make extra money.”

Fortunately, this dangerous cybersecurity threat is unlikely to threaten your Mac anytime soon – unless of course you’re planning on downloading pirated software.

Thomas Reed, director of Mac and mobile platforms at Malwarebytes, found that ThiefQuest is distributed through torrent sites and are being bundled with name-brand software. The dangerous ransomware is attached to software including security application Little Snitch, DJ software Mixed in Key, and music production software Ableton.

Devadoss explains that ThiefQuest looks like a Google Software Update program. Until this point, the security threat doesn’t appear to have a significant amount of downloads, and there are no reports of a ransom being paid to the bitcoin address of the attackers.

In order for your Mac to become infected, the user would have to torrent a compromised installer, as well as dismiss several warnings from Apple. When downloading software, users should always be sure to get the software they need from a trustworthy source, such as the Apple Store, or from developers whose code is “signed” by Apple.

Although the threat appears to be incredibly dangerous, ThiefQuest also seems rather incomplete. The malware shows a ransom note demanding payment, but only lists a static Bitcoin address to where the money can be sent. With Bitcoin’s anonymity features, attackers would have a hard time determining whose system to decrypt because they would have no way to know who has paid and who hasn’t. There is also not an email address listed that would allow the victim to correspond with the attacker to receive a decryption key, implying that the malware may not actually be intended to be ransomware. Patrick Wardle explains that through his analysis of the malware, the decryption aspect of the threat doesn’t seem to be set up to function once deployed.

Malware is something that is better left unannounced and unnoticed, as it works secretly to gather your data. Adding ransomware to the mix of this malware threat is unconventional.  When a user is being notified that there is a security risk presented in front of them, that’s not exactly a moment when they’re going to start an online shopping or an active session with their bank account.  Additionally, when the presence of Malware is detected, it makes it more likely that the security community will flag the software in an attempt to block it in the future. Announcing a threat through ransomware when trying to conduct malware-like thievery is an obscure tactic.

“I would think if your main goal was data exfiltration you would want to stay in the background, do that as silently as possible, and have the best chance of going undetected,” Reed says. “So I don’t really understand the point of this very noisy ransomware. When I installed it for testing, every 30 seconds the computer was screaming at me, beeping at me all the time. It’s really noisy in both the literal and digital sense.”

Though the threat publicly acts as ransomware, it does include features that helps it run privately as malware. For instance, the malware won’t run if certain security tools are detected. It also maintains its silence if opened in an environment that is typically used for security testing.

After analyzing the code, Wardle suspects that the malware was intended to run spyware first, collect the data, and launch as ransomware as a last-ditch effort to gather funds. Testing by other researchers seemed to support this theory as they found it harder to start the malware to encrypt the files as part of the ransomware functionality.

Researchers believe that this cyber threat is one that has more likely been created by hackers rather than nation state spies. The fact that the malware is being distributed through torrents, still has some imperfections in its execution, and seems to focus on stealing money justifies this conclusion. 

As confusing as TheifQuest’s identity crisis seems to appear, it is clear that it has yet to become a super destructive threat.  

Story via Wired