By examining this PKG file, Malwarebytes discovered that the application comes with a “post-installation script”, which is typically used to clean up the installation after the process is complete. In this case, however, the script implements malware on macOS.
The script file is copied to a folder linked to the Little Snitch application under the name CrashReporter, so the user will not notice it running in the activity monitor because macOS has an internal application with a similar name. The defined location is: / Library / LittleSnitchd / CrashReporter.
Malwarebytes notes that it takes a while for the ransomware to start working after installation, so the user will not associate it with the last application installed. Once the malicious code is activated, it modifies the system and user files with unknown encryption.
Part of the encryption prevents the Finder from working properly and the system constantly crashes. Even the system keychain is corrupted, so it is impossible to access passwords and certificates saved on the Mac. A message on the screen indicates that the user must pay $ 50 to recover their files, otherwise everything will be deleted after three days.
There’s still no way to get rid of malware after encrypting files, so users should keep an up-to-date backup of everything.
The best way to avoid the consequences of ransomware is to maintain a good set of backups. Keep at least two backup copies of all important data, and at least one should not be attached to your Mac at all times. (The ransomware may try to encrypt or damage the backups on the connected drives.)
Although ransomware is only included with pirated apps at this time, Apple needs to fix this security hole as soon as possible because this malicious code can be included in more applications.
You can read more technical details about EvilQuest on the Malwarebytes website.
FTC: We use automatic affiliate links to generate income. More.
See 9to5Mac on YouTube for more information on Apple: