Werther Quest Mac OS

Posted on August 6, 2020

In June, security researchers discovered a new variant of Mac malware: ThiefQuest (also known as EvilQuest, EffectiveIdiot, and Mac.Ransom.K).

Oculus Quest and Quest 2 are compatible and will work with Mac computers. You can connect your Mac with the Quest via USB to transfer files and also sideload games/apps to the headset. Oculus Link can also work but will require a higher-end MacBook with Windows 10 installed (via Boot Camp) and likely an external GPU (eGPU) for optimal performance. Mac OS is gaining popularity slowly (though having slightly more trouble with the recession). Heroes of Might and Magic: A Strategic Quest (68K Only). 41 Games like Miriel the Magical Merchant for Mac OS, daily generated comparing over 40 000 video games across all platforms. This list includes Viking Vengeance, Werther Quest, Siege, Fall of Light and 37 more.

ThiefQuest created a flurry of excitement in the Mac security community, because it appeared to be something extremely rare: honest-to-goodness ransomware for macOS. However, after further analysis, it turned out to be something even more interesting: an evolving hybrid threat that combines ransomware, spyware, and data theft capabilities.

Distribution method

ThiefQuest is being distributed through malicious installer files for pirated apps, including the DJ app Mixed In Key, the music production app Ableton, and the firewall app Little Snitch. It should be noted that all of these apps are legitimate software, and that their developers have nothing to do with ThiefQuest — only the pirated versions of the apps contain malicious components.

  • So, if your Mac’s processor is supported then it’ll work and keep 1 thing in mind that, you can play Roblox and Minecraft in VR on Mac using the Oculus link but You will not be able to play graphic intensive games like boneworks or Asgards’ wrath on Mac.
  • Connecting Oculus Quest / Quest 2 with Mac to Transfer Files Transferring files between your Mac and the Quest / Quest 2 headset is something you will probably want to do at some point of time. Whether you want to get your saved pictures / videos from your Quest headset or maybe transfer a movie file to your headset for later offline viewing.

If a trojanized installer is not signed with an Apple Developer ID, users will see a warning when they click on it, but they will have the option to ignore this warning and launch the app anyway.

Werther Quest Mac OS

ThiefQuest as ransomware

ThiefQuest, at first glance, appears to be ransomware for macOS. When its ransomware functionality is triggered, ThiefQuest begins encrypting files on the infected system, and eventually directs the victim to a simple ransom note on their Desktop. The note informs the user that they have been infected, and instructs them to send $50 in bitcoin to an anonymous Bitcoin wallet address.

However, there are several reasons to suspect that the ransomware functionality of ThiefQuest isn’t really its primary purpose at all.

First of all, ThiefQuest doesn’t appear to take encryption all that seriously. It uses a weak standard to encrypt the compromised machine’s files — a fact that allowed malware researchers at SentinelOne to build a working decryptor tool within weeks of the new malware’s discovery.

Secondly, as security researcher Phil Stokes points out, ThiefQuest demands a relatively paltry ransom (just $50 USD), and offers no way for a victim to contact the bad guys to inform them that the ransom has been paid. In addition, researchers have noticed that the Bitcoin wallet address given in several different samples is identical, meaning that if one of the ransomware’s victims did decide to pay, there would be no way for anyone to know which infected computer had actually paid the ransom. As Stokes wryly notes, that generic Bitcoin wallet address has seen a grand total of zero transactions — meaning that whatever else it may be, ThiefQuest is not exactly a model of persuasive ransomware!

A final oddity of this “ransomware” is that it appears to leave an infected computer mostly intact: even after it is active, victims can still access and use their systems.

All of this means that if ThiefQuest is only ransomware and nothing more, then things don’t add up. It’s either very badly designed ransomware, or it’s something else — perhaps something that was never intended as ransomware in the first place — with the half-baked ransomware functionality serving as a distraction.

ThiefQuest as spyware and data exfiltration malware

Upon closer inspection, the security researchers analyzing ThiefQuest discovered that it was indeed much more than just shoddy ransomware!

In his detailed two-part analysis, Patrick Wardle notes that the malware’s code contains evidence of spyware functionality. There is a command that starts up a keylogger, and then records keypresses on the system and passes them on to several other functions, which allows the captured data to be outputted as formatted strings.

Wardle also found that ThiefQuest is designed to steal certain types of files from its victims. Once activated, the malware’s data exfiltration functionality creates an inventory of the directories and files on the infected machine, and then searches for files that fall into certain sensitive categories (in particular, certificates, cryptocurrency wallets, and keys). If ThiefQuest finds files of interest, it will send their contents back to its command and control server.

ThiefQuest can also contact its C&C server to receive malicious payloads, which can then be executed on the infected machine. The malware appears to support both in-memory payload execution and, as a backup, on-disk execution. In addition, ThiefQuest is able to execute commands given to it by the remote server, and it can also retrieve encoded files and download them onto a compromised system.

In short, whatever failings ThiefQuest may have in the ransomware department, it more than makes up for them with the sophistication and power of its spyware and data exfiltration capabilities!

Werther Quest Mac Os Catalina

Other notable features

ThiefQuest has a few other interesting features that are worth mentioning.

Once launched, the malware checks to see if it’s running in a virtual machine (VM) or not. VMs are virtualized operating systems that run in specialized software on a host computer, sort of an “OS within an OS”. Security researchers use virtual machines to study malware safely, so this VM check may indicate that ThiefQuest is attempting to avoid analysis.

In addition, ThiefQuest checks the processes currently running on the system and looks for well-known security products; if it finds one of these, the malware will attempt to shut it down in order to prevent detection.

Finally, ThiefQuest appears to be under active development. New variants have already appeared since the malware was first discovered and analyzed, and one of the new samples even appears to call out Wardle by name — it contains an encrypted string which, when decoded, reads “Hello Patrick”. Whatever else you can say about them, ThiefQuest’s authors appear to have a sense of humor!

How to avoid infection

ThiefQuest is a serious and potentially dangerous hybrid threat for macOS. But there are several simple things you can do to stay safe:

1

Say no to piracy

At the time of writing, all samples of ThiefQuest discovered “in the wild” have been found in pirated versions of popular software. Such pirated apps are often distributed through forums and on filesharing sites. The best way to prevent a ThiefQuest infection is to avoid pirated software and the websites that distribute it. Ethical and legal considerations aside, pirated apps are one of the most common infection vectors used by Mac malware — reason enough to stay far away from them.

2

Follow app safety guidelines

Make sure you’re following best practices for running apps safely on your Mac. Only download apps from the Mac App Store, or directly from the website of an app developer that you know and trust. In addition, pay attention to the alert dialogs shown by macOS. If your Mac warns you that an app hasn’t been signed with a valid Apple Developer ID, then don’t install that app!

2

Mac Os Versions

Use an anti-malware tool

Mac users should always run a reputable, regularly updated malware detection tool as an added precaution. Such tools are equipped to detect newer malware variants like ThiefQuest, and in addition will help keep you safe from Potentially Unwanted Programs, keyloggers, and other security and privacy threats. If you don’t have this kind of protection on your system yet, MacScan 3 is available as a 30-day trial download (and has already been updated with definitions for multiple variants of ThiefQuest).

ThiefQuest is a fascinating piece of malware from a security research standpoint, and a prime example of the continuing evolution of Mac malware. But it’s also a potentially serious threat to Mac users — so if you have additional questions about how to keep yourself safe from ThiefQuest, or deal with a possible infection, please feel free to reach out to us and ask for help.

The KACE AMA agent is an application that can be installed on devices to enable device management through the KACE AMA. The agent can be installed on devices that meet the following operating system requirements. For additional specifications, see the operating system vendor’s documentation. The appliance imposes no additional requirements, and supports 32-bit and 64-bit architectures where applicable.

Details

Professional, Tablet PC Edition, Media Center Edition

Web Edition, Standard Edition, Enterprise Edition, Datacenter Edition, HPC Edition

Web Edition, Standard Edition, Enterprise Edition, Datacenter Edition, HPC Edition

Windows Server 2003 SP1 or later (limited support)

Web Edition, Standard Edition, Enterprise Edition, Datacenter Edition

Versions 6.x – 7.x, 32-bit and 64-bit architecture

Versions 14.04, 16.04, 32-bit and 64-bit architecture

*Cannot be running in Server Core mode.