ThiefQuest, a recently found ransomware specifically for Macs, appears to contain an additional component that actively searches for credentials on a device.

These findings were the result of intensive research into the new ransomware. At the end of June, cybersecurity company K7 Lab published the discovery of the existence of a new variant of ransomware aimed at Mac users, called ThiefQuest. This is a rare discovery, as ransomware targetted at Mac computers is not very common. Four years ago, the first version was detected, and since then, Mac users have become a more appealing target for hackers.

Apart from encrypting files on a Mac, ThiefQuest contains a Spyware component that searches the device for credentials, credit card details and other financial information. There is also a keylogger included. The tool also serves as a backdoor, allowing hackers to return at a later time to do additional attacks.

Dangerous but not a huge risk

While ThiefQuest might result in a lot of problems on Mac, the chance of a device being infected is relatively small. The malicious software was found in files that pretended to be existing software that could be downloaded from torrent sites. The malware itself looks like the Google software updater, which in itself is highly suspicious as the apps it disguises as include Little Snitch, Mixed In Key and Ableston; a security program and two music apps.

Strange ransomware components

According to the researchers, the number of detected downloads from infected installers is small, and so far no one actually transferred any money to the specified bitcoin address. This is not remarkable since the ransomware has several peculiar details that make it questionable whether the ransomware is the primary purpose.

The application contains an address to which users have to transfer the cryptocurrency, but no additional code whatsoever to show which device it is referring to. Also, no email address can be contacted to get a key to decrypt the files. Finally, the attached component to restore the files is said not to work correctly.