Virus.MacOS.THIEFQUEST.A-O

Hängt eigenen Code an den Anfang der Zieldateien an. Fügt Infektionsmarker in Dateien ein.

Führt Befehle eines externen, böswilligen Benutzers aus, wodurch das betroffene System gefährdet wird.

Installation

Schleust die folgenden Dateien ein:

• /private/var/root/.ncspot – text files containing a 43-byte string to be used by the Virus

Schleust die folgenden Eigenkopien in das betroffene System ein:

• ~/Library/AppQuest/com.apple.questd
• /Library/AppQuest/com.apple.questd
• /private/var/root/Library/.{random generated string}
• (Note: The character <~>indicates the main directory accessible to the current logged in user only. If the file path does not contain the character <~> specified file is located in the local main directory accessible to all users.)

Dateiinfektion

Infiziert die folgenden Dateitypen:

• Mach-O Executable File

Hängt eigenen Code an den Anfang der Zieldateien an.

Sucht in den folgenden Ordnern nach Zieldateien:

• /Users

Fügt Infektionsmarker in Dateien ein.

Backdoor-Routine

Führt die folgenden Befehle eines externen, böswilligen Benutzers aus:

• Load and execute received data from memory
• Save received data as specified file
• Log keystrokes

Download-Routine

Öffnet die folgenden Websites, um Dateien herunterzuladen:

• http://andrewka6.{BLOCKED}anywhere.com/ret.txt → Contains specified C&C Server

Andere Details

Zeigt ein Popup-Fenster mit folgender Meldung an:

Es macht Folgendes:

• Installs the following autorun items:
  • ~/Library/LaunchAgents/com.apple.questd.plist
  • /Library/LaunchDaemons/com.apple.questd.plist
  • (Note: The character <~>indicates the main directory accessible to the current logged in user only. If the file path does not contain the character <~> specified file is located in the local directory accessible to all users.)
• It avoids the Mach-O Executable files that are included in application bundles(.app file extension)
• Infected files from this Virus will drop and execute its original code as a hidden file to deceive the user into thinking that the infected executed file was not affected while the malware performs its routines in the background.
• It will first attempt to download the file to get the specified C&C. If unsuccessful it will instead use the IP Address as C&C Server.
• It does not append a different file extension to the file name of the encrypted files. Instead, it leaves an encryption marker at the end each file.
• It is capable of file exfiltration. It searches the following folder for files of interest to encode and send to the server:
  • /Users
• It searches for files that match the following regular string expressions to encrypt:
  • *id_rsa*/i
  • *.pem/i
  • *.ppk/i
  • known_hosts/i
  • *.ca-bundle/i
  • *.crt/i
  • *.p7!/i
  • *.!er/i
  • *.pfx/i
  • *.p12/i
  • *key*.pdf/i
  • *wallet*.pdf/i
  • *key*.png/i
  • *wallet*.png/i
  • *key*.jpg/i
  • *wallet*.jpg/i
  • *key*.jpeg/i
  • *wallet*.jpeg/i