EvilQuest Ransomware

First seen in early 2020, EvilQuest is an infostealing trojan and data wiper distributed through pirated software sites.

Threat ID:: CC-3530
Category:: Ransomware
Threat Severity:: Low
Threat Vector:: Download
Published:: 3 July 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

First seen in early 2020, EvilQuest is an infostealing trojan and data wiper distributed through pirated software sites.

Affected platforms

The following platforms are known to be affected:

Versions: All

macOS

Threat details

Introduction

EvilQuest (also known as ThiefQuest) is a newly observed information stealing trojan targeting macOS devices. It is also able to acts as a data wiper, presumably as a method to disguise its primary functionality.

Delivery

EvilQuest is delivered disguised as legitimate utility applications hosted on third party torrent sites. When opened, it will perform several anti-analysis and anti-emulation checks before opening a remote shell connection with a command and control server.

Activity

Once installed, EvilQuest will download and execute several Python scripts hidden in GIF files. These scripts search for any filetypes in the /Users folder that match a hard-coded list, before Base64 encoding them and sending them to the C2 server. Interestingly, it will not extract files larger than 800KB despite many of the targeted filetypes being far larger than this. When all suitable files have been extracted, EvilQuest will begin encrypting non-system files using an unidentified algorithm. The encryption functionality used by EvilQuest appears to be broken, with files seemingly encrypted at random, partially encrypted, or just destroyed.

Threat updates

Date	Update
8 Jul 2020	Encryption algorithm details EvilQuest's encryption implementation has been reverse-engineered by security researchers to product a recovery tool. Based on the older RC2 algorithm, files encrypted by EvilQuest can be decrypted using SentinelOne's tool. Please note that NHS Digital do not test or endorse third-party tools, and organisations use them at their own risk.
6 Jul 2020	Keylogging functionality A new variant of EvilQuest has been observed with keylogging functionality.

Date

Update

8 Jul 2020

Encryption algorithm details

EvilQuest's encryption implementation has been reverse-engineered by security researchers to product a recovery tool.

Based on the older RC2 algorithm, files encrypted by EvilQuest can be decrypted using SentinelOne's tool. Please note that NHS Digital do not test or endorse third-party tools, and organisations use them at their own risk.

6 Jul 2020

Keylogging functionality

A new variant of EvilQuest has been observed with keylogging functionality.

Remediation advice

To prevent and detect a trojan infection, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

File hashes

SHA1

178b29ba691eea7f366a40771635dd57d8e8f7e8

SHA256

f409b059205d9a7700d45022dad179f889f18c58c7a284673975271f6af41794

Last edited: 8 July 2020 4:21 pm