Request a Demo
Rewterz
Rewterz Threat Alert – Phishing Emails Containing Calendar Invitations
July 1, 2020
Rewterz
Rewterz Threat Alert – Zeppelin Ransomware – IoCs
July 1, 2020

Rewterz Threat Alert – EvilQuest Wiper Uses Ransomware Cover to Steal Files From Macs

Severity

High

Analysis Summary

Impersonating as Google Software Update program, EvilQuest wiper is found targeting MacOS, with almost zero detection. This new piece of macOS ransomware was found in pirated versions of popular macOS software, shared on popular torrent sites. This method of infection is common and at least at some level successful. It encrypts files and leaves a ransom note. 

Image

The .txt files when opened, looks like this:

Image

It appears to handle tasking from a command and control server (andrewka6.pythonanywhere[.]com). Such tasking includes: 

  • executing command 
  • starting the keylogger 
  • executing a module directly out of memory

Armed with these capabilities, the attacker can gain full control over an infected host!

Impact

  • Files Encryption
  • Remote code execution
  • Credential theft
  • Information theft
  • System compromise

Indicators of Compromise

Domain Name

  • andrewka6[.]pythonanywhere[.]com

MD5

  • 777424b278bc6bb4edcecb82dfbcb37d
  • 17bfc2fc9dce7254fea0bb86c085c52b
  • 9291a3ec715f82ac2ef1545b64e1e51c
  • b836f7795e946f8e61185e844151c905
  • a2539ab3e8a30bd4b19b0614b5da04ce
  • aba3b585dd22d0e1d65ed87fe349b7e1
  • 0e1c274aa0f487d6262e5d2bb4830229
  • a22e2da6f3ec7f9ddf5f3f8bb8325aeb
  • d2d4c05889be06d1772b19f6ddbfc9f6
  • a8440c256c6dc84f93a71b31412c6a9e
  • 295c6945ef3b9cad6ff37c5510b14627
  • eeebec8b56565a7758f4dbd00ddf4180
  • 569b651ec08732c185ed068d81877cf4
  • c73e33f13481252ec81486cb9e90719c
  • eb7cc7cb70d8946f4b25610ca1ba623d
  • f4368984793e7ab58357c4f675a84366
  • 1e23accebc583eb7be178feabdb826d0
  • 43778d3799840872349146c87b247396

SHA-256

  • a215dc148ff217dfcdfdb93521dfda34a02db3145b2075ddb1fae5bf02223b08
  • d0fedd9bd2cf05e0ee71af4c54649058a93a10dfff08c015e273b02e48b93af0
  • ab0f58f35451e95ec8b3f15dbd0a480f97e263708975f41867e3c91978ff7f48
  • ad24d8c5ce6e6ef10755dd83a24f13d7d1b42109ff570c3d98fc6a730d452f45
  • 511731ff2e08ac1b1de0ca719f3500b2902d7670dd2b2d5b72b3cae847ab42c8
  • e361f8adefa02488cceadf7c490784c9da9a9b569d14c4259c12559c1cf223f1
  • bc4385e99c66cbcc08ce79bb29e34519a34c1b43546dfdbe9427e899508b2d26
  • 1553d8756ce7af3c97291a589fc767b65e0f89940ada15e838243fe292901f42
  • 33cecccbe3775e37ae09df298ba21082544164fa8cb32cdda05bfa8e54faa890
  • 6b51992fa3dd5ca2525375c9fb2eaa032f031f866fd227a8a524e39d12d5e35e
  • 7f149c27e7dc4dfd5f25fd93793dde96e711060881bdfbdd33f8cfdf12674093
  • 993045d0a624e821640576570f0d5d2f3693efbd10115f9fb1d3f9ed91764073
  • 8159fe10644fad806ddd10bca72efb709b887fed129d123e9772dc99290691c7
  • b94ba5a22f2c203224b51c15a546b049a10681904e9e47e84cdd321bedd78bd9
  • b2c02f25fdc19bdf994fd1f212a67d3e4fb4433c18af90ac9306c7f97c2d89f1
  • 7d5d69c9b9d55da16212b71ab1b69e96f3003c4ef1b0319d5cbcfaeef26948ed
  • 17e7883fe9581407529f58472fb1a79d844cc742e5f1454197450b71ff033e16
  • 1597e79b7c1783791c96f92cc5a09a0deff7ec682851a881a7e4f4a0c5803309
  • 9a509533b5dcd3185c3979b73f5861956a9cc83c16aaa505cb624342cde6ad8e
  • 79ce6f9265622d499eb9676a544cfda2cebc14ed9c0131c49cf6e8fa80c4994d
  • e0ca6e395499421bc43a41c625e882df76b90edda3652969d5c28175d076a5f3
  • d3cd4ae4fa3e760ad3e9495d73cdd0c2699536c5c10f9add84b948730fb1648f
  • 81a8050810975fdfcd93f2f0dbcf4c0ee0cda48851a0e56a693b2077b4677a4c
  • f5eefed38002d83a9c1f5d993afeba3c358dd1a67272ab3f171e24d5ed894da8
  • 91e98e8db0c3443b76ce9358192086d19f6a917820f4e9bd6daf6fd6668eea01
  • e1528e284555637fe769177dab7e45ea6292d807448a28be2c465ad245bba428
  • 9f590f8661c7c1a0609d77fa553b127ccf1a441cfc02a8656a15b35e53b62044
  • fc1450d3df4d99fff2d51e555d829a11b17815d82cb9bba04ec5a32db7cd3e26
  • 567a82e21b6b1181def9f254d9af1fa80fb7667db48298989fc7b5a0576cb9de
  • 7aa2117be248cdfd46dcf6756fa9dd3d210f71e2254a83d6337c9f102d7100d3
  • 51ee1acbf13ac079aeb9749c7feb12f8fa87378d6a2ac94a7c54d7862c8a5563
  • 8bf0a31e8c66d353eafa10b862bf58a1974202544e4a5d5a843501b16aa74e8d
  • a17d1c6c520f6f4fa1eb9a4411ad37853c946f3870eba8cc4ef3de71c184eeb3
  • 03145f98fa416cea6a6fb2e8705fa9a25c70c79e8792dc40c10a62f0f9b4dea8
  • 54106c44a7f55a673e9afd9b4415f2a372be49f62f2b1ff3e1196a35fbd0aeef
  • 375b8f459c4fe9b3b0a102698578db921914deafec47c7c064ed779a41d0dbc9
  • 81daa16a5653573117b94b49d657cdf32d9b88dcb891df3573581bb7478d096b
  • 2479f5c4b8c44784ac5c603dadd5fad4ad1b80a8a6198aaf4913a2d1a59e8b01
  • 333d13d5d4e6886848640880a8a9abe8d8f5045d116bbaf6bd328f43a8529c00
  • 3af8dec60474c1f1c47026ea1aa87f3dc25329d69eed92cbdac95ecabd30e87d
  • 45368be16794ebd47ec7b5bf1607eb9d3281ce7101715a1b99b3d50806f090dd
  • fc1ee4df3f52cc7d1bbd185beba983a398a4f5f990c4b1f6758e52f34a13024c
  • b24dd25b42e82a9b4a3fedf05913a4318154e6b04d7e54510f9d3dcf4c8d3438
  • 2ce315aa047239222ede240df7b847f7b5070e792a39d3db148669a4fc07afa8
  • 1a8f442575df82083507e18112198b3f7e51c4f5095ba96197468a9d4fca2ffd
  • 46d75230716fd873f98c1c28e814ad2576b173bd4b23e44d794091536adb7adb
  • a36f63c0ce79bdf4dc74575f26611ff91b4448784e9a5b62f0414eb3e36bf42d
  • d43291684d6412f537d7f2001c21ad58313643a3556b730c287aed2015624a31
  • 8e37e7c4995235301ce093557f3b0c9eafcc887469eae10d1356e936a18808ed
  • f409b059205d9a7700d45022dad179f889f18c58c7a284673975271f6af41794
  • b852b2c6b389e3176ceac9549c7d061aa6308f34022a24324dc44f8c39c35f04
  • 851ce39495677eb52b5b7ceeeb769aacd9e4de90972a2e3fc51335b954d13aa0
  • 07677fcec0276f6108f0a6288b9b12a75025d723b3ee7d494623a998883782f8
  • 2a88b8206d7669791a7135c53d0ba7d2bc4d1da9a9972015bd0a1bde3cc9bbbd

SHA1

  • 769e510c4d2aeca1a5969381355bb89808cd65fd
  • 3d1993fb2ed8b33be17273b5c98394128bde5337
  • f095b7df03f545db8ce7f1d931bf524c8d742c60
  • 8f8a39f3386120d5fb25f2b7cad224fa5610890c
  • 134e4e59c2f3aa22a51a40072e101fa1cf7825e9
  • ba219ad16e48c79082067bf51881ecf028961f35
  • 967f336bdde9c8f22a193ff3172cc50298584fb7
  • bd4fa58168569155d8f837c5ef01b6f4408921ec
  • d3ef5e2831ad52946e42f9a1a0dd31e9c2ceccd3
  • b1fe8010fc1d27c647b735d6b07279a05b2a8c4b
  • 7463479f9aea3d8edc4b012df1012aadc262a9e6
  • 8914731f5447553828c6da20cf1fd6cb30fb5718
  • 082f393df9ba4bfb73de1b142ecdec0003778e8f
  • 456ece6d19bdef0b2db446a67631eb8a734e286d
  • 08f20a7cb4af29ba8b7ab5476a08132c1e5b29ea
  • 893f0ae5bde30d536d71150a534b3063d5708d8c
  • a4c9a1a2dc8ffb6746e63c8ddb6632cc9c104e3a
  • 36ec7e81fa89d72e1c4d942a264344b7577f7172

Source IP

  • 167[.]71[.]237[.]219

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download software from unauthentic sources.
  • Keep all systems and software updated to latest patched versions.