<— Back

EvilQuest: A Brand New Avatar of MacOS Ransomware

12:50 – 13:20(SGT) Friday 4 December, 2020

2020 has been the year of the pandemic in the real world and the year of ransomware for the mac world. Due to its all-in-one Ransomware, Backdoor, and Virus package we must confer upon EvilQuest, an intriguing malware first identified at our Labs in June 2020, the title of Most Outrageous Malware of the Year in the macOS category.

A ransomware specimen is very rare in the macOS threat landscape. In fact it has been more than three years since the last one, OSX/MacRansom (circa mid-2017), which adopted the RaaS approach. Prior to that, back in 2016, there was the KeRanger ransomware. Hence macOS ransomware has been historically negligible. However this year we have witnessed a deluge of EvilQuest samples; we have seen nothing like it even across other types of macOS malware.

In our talk we will focus primarily on the dissection of EvilQuest to gain insights into its various capabilities such as Anti-Analysis, AV-evasion, In-Memory-Execution of payloads, Data Exfiltration, and its art of Self-Disinfection from previously-infected host files to evade detection. We will present the latest variation of the ransomware and its encryption standards which have never been publicly disclosed thus far. We will compare and contrast the kill-chain and modus operandi of the EvilQuest gang vis-a-vis the previous macOS ransomware families.

We will explore EvilQuest’s many lessons about macOS’ closed ecosystem which in practice does not translate to the secure ecosystem that it has always been presumed and purported to be. To conclude, we will discuss the array of detection options we have from a behavior perspective as well as other methods that can be used to arrest EvilQuest at various stages of its kill-chain.