Ransomware Targets Mac UsersMalwarebytes Says Malware Hidden in Fake Installer for 'Little Snitch' App
A ransomware strain targeting Mac users is spreading via a fake installer for Little Snitch – a host-based application firewall for macOS - according to the security firm Malwarebytes.
While it can be destructive, this “EvilQuest” ransomware is poorly designed, says Thomas Reed, a director at Malwarebytes. For example, the malware sometimes faces issues with installation, and it cannot always generate a ransom note, he says.
Malwarebytes has not yet determined how many victims have been hit with EvilQuest, Reed says.
The malware is being distributed through a fraudulent installer for Little Snitch that was found on a Russian forum dedicated to sharing Torrent links, says Reed, who received a tip on the malware from Twitter user @beatsballert and then tested the fake installer
"A [forum] post offered a torrent download for Little Snitch, and was followed by a number of comments that the download included malware. In fact, we discovered that not only was it malware, but a new Mac ransomware variant spreading via piracy," Reed says.
So far, only those who download Mac apps via Torrent are at risk, Reed says, but he suspects there are other points of distribution.
The legitimate Little Snitch app, created by Objective Development, alerts a user whenever an app attempts to connect to a server on the internet, allowing the user to decide whether to allow or deny the connection.
Poorly Designed Installer
Reed notes it's easy to spot the fake installer because it lacks the professional appearance found on Objective Development's site.
In addition to installing Little Snitch, the fake installer also installs an executable named "patch." A postinstall shell script is downloaded and executes after installation is complete. Having such a postinstall script is normal for this type of app, but in this case it is used to load the malware, according to the report.
Reed discovered a second installer inside Little Snitch for the DJ software Mixed In Key 8 that also drops the ransomware.
If the installation process goes as planned, the malware is activated and proceeds to encrypt files on the hard drive, Reed says. But in testing the fake installer, Reed discovered a number of malfunctions.
"I left it running on a real machine for some time with no results, then started playing with the system clock. After setting it ahead three days, disconnecting from the network, and restarting the computer a couple times, it finally began encrypting files," Reed notes.
Since the ransomware was just detected, further analysis is needed to answer some basic questions, such as what encryption it uses and whether the key can be easily found in the code, Reed adds.