Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент ThiefQuest
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
ThiefQuest
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

ThiefQuest

ThiefQuest is a virus, data stealer, and wiper that presents itself as ransomware targeting macOS systems. ThiefQuest was first seen in 2020 distributed via trojanized pirated versions of popular macOS software on Russian forums sharing torrent links.(Citation: Reed thiefquest fake ransom) Even though ThiefQuest presents itself as ransomware, since the dynamically generated encryption key is never sent to the attacker it may be more appropriately thought of as a form of wiper malware.(Citation: wardle evilquest partii)(Citation: reed thiefquest ransomware analysis)
ID: S0595
Associated Software: EvilQuest MacRansom.K
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 19 Mar 2021
Last Modified: 16 Apr 2022

Associated Software Descriptions
Name Description
EvilQuest (Citation: Reed thiefquest fake ransom)
MacRansom.K (Citation: SentinelOne EvilQuest Ransomware Spyware 2020)

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

ThiefQuest uploads files via unencrypted HTTP. (Citation: wardle evilquest partii)(Citation: reed thiefquest ransomware analysis)
Enterprise T1059 .002 Command and Scripting Interpreter: AppleScript

ThiefQuest uses AppleScript's osascript -e command to launch ThiefQuest's persistence via Launch Agent and Launch Daemon. (Citation: wardle evilquest parti)
Enterprise T1543 .001 Create or Modify System Process: Launch Agent

ThiefQuest installs a launch item using an embedded encrypted launch agent property list template. The plist file is installed in the ~/Library/LaunchAgents/ folder and configured with the path to the persistent binary located in the ~/Library/ folder.(Citation: wardle evilquest parti)
.004 Create or Modify System Process: Launch Daemon

When running with root privileges after a Launch Agent is installed, ThiefQuest installs a plist file to the /Library/LaunchDaemons/ folder with the RunAtLoad key set to true establishing persistence as a Launch Daemon. (Citation: wardle evilquest parti)

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

ThiefQuest hides a copy of itself in the user's ~/Library directory by using a . at the beginning of the file name followed by 9 random characters.(Citation: wardle evilquest parti)
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

ThiefQuest uses the function kill_unwanted to obtain a list of running processes and kills each process matching a list of security related processes.(Citation: wardle evilquest parti)
Enterprise T1056 .001 Input Capture: Keylogging

ThiefQuest uses the CGEventTap functions to perform keylogging.(Citation: Trendmicro Evolving ThiefQuest 2020)
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

ThiefQuest prepends a copy of itself to the beginning of an executable file while maintaining the name of the executable.(Citation: wardle evilquest partii)(Citation: reed thiefquest ransomware analysis)
Enterprise T1518 .001 Software Discovery: Security Software Discovery

ThiefQuest uses the kill_unwanted function to get a list of running processes, compares each process with an encrypted list of “unwanted” security related programs, and kills the processes for security related programs.(Citation: wardle evilquest parti)
Enterprise T1497 .003 Virtualization/Sandbox Evasion: Time Based Evasion

ThiefQuest invokes time call to check the system's time, executes a sleep command, invokes a second time call, and then compares the time difference between the two time calls and the amount of time the system slept to identify the sandbox.(Citation: wardle evilquest parti)

References

  1. Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021.
  2. Phil Stokes. (2020, July 8). “EvilQuest” Rolls Ransomware, Spyware & Data Theft Into One. Retrieved April 1, 2021.
  3. Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 18, 2021.
  4. Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 22, 2021.
  5. Patrick Wardle. (2020, June 29). OSX.EvilQuest Uncovered part i: infection, persistence, and more!. Retrieved March 18, 2021.
  6. Gabrielle Joyce Mabutas, Luis Magisa, Steven Du. (2020, July 17). Updates on Quickly-Evolving ThiefQuest macOS Malware. Retrieved April 26, 2021.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.