Do you have illegal copies of Apple software on your Mac

Be aware that there's a new threat to be concerned about. An info-stealing, data wiping malware strain known as ThiefQuest has been found embedded in torrents of illicit software written for macOS.

While ThiefQuest isn't as commonly seen as some other macOS malware like FileCoder, Patcher, or KeRanger, it's still common enough to stay on the alert for. That's especially if you use any of the popular torrent sites to grab copies of your favorite software.

The malware strain was first spotted in the wild by Dinesh Devadoss, security research for K7 Lab. It was analyzed by Thomas Reed, the Director of Mac and Mobile Services for Malwarebytes, legendary researcher Patrick Wardle, and Bleeping Computer's Lawrence Abrams.

Here's what we know about ThiefQuest

  • It has some advanced anti-detection capabilities, including the ability to check to see if it's running on a virtual machine and if so, it will terminate to avoid detection.
  • It installs a keylogger and opens a reverse shell on the infected machine,
  • It has the ability to check for some of the more commonly used security tools and antimalware solutions, including Kaspersky, Norton, McAffee, Bitdefender, Bullguard, DrWeb, and Avast)

Patrick Wardle noted, "Armed with these capabilities, the attacker can maintain full control over an infected host."

Curiously, ThiefQuest seems almost picky in terms of what files it encrypts. There doesn't appear to be a readily definable pattern, and this can cause a variety of issues on infected systems.

In any event, once it finishes encrypting whatever files it has selected, it will generate a text file named "READ_ME_NOW.txt" that includes ransom instructions. Victims are currently being asked to pay a $50 ransom in Bitcoin within 72 hours of the message being generated, which is a quite modest sum by modern ransomware standards.

Our perspective

Wardle and the other researchers note, however, that it could increase at any time. Beware of ThiefQuest. Although not the most dangerous of malware strains out there, it's certainly a legitimate threat.

~ As Hill Street Blues' Sgt. Esterhaus always advised: "Hey, let's be careful out there! " ~


By Denis Wilson and Melissa Stockwell

Thanks for reading this short post. For more tips on thriving with small business technology, check out the other blog posts at DWPIA Blogs. I am also available on LinkedIn, Facebook, and Twitter.

Cybersecurity Expert, Small Business Technology Consultant, Managed Services Provider, Managed IT SupportI'm Denis Wilson, President and Principal Consultant for DWP Information Architects. We build people / process / technology solutions to create better business outcomes for smaller enterprises in Los Angeles. We have created cost-effective office productivity and out-sourced service solutions for over 20 years, focusing principally on manufacturing and healthcare.  Our hallmarks are reliability, cybersecurity, and regulatory compliance.

I am also a published author and speaker, working extensively with business and professional associations to provide small business technology education programs.

Contact me if you would like me to speak at your association