In the last stage, EvilQuest launches a copy of itself and starts encrypting files - counting cryptocurrency wallet ("wallet.pdf") and keychain related files - before eventually displaying ransom instructions to pay $50 within 72 hours or risk leaving the files locked.īut EvilQuest's features go beyond typical ransomware, including the ability to communicate with a command-and-control server ("") to remotely execute commands, initiate keylogger, create a reverse shell, and even execute a malicious payload directly out of memory.
It also kills any security software (e.g., Kaspersky, Norton, Avast, DrWeb, McAfee, Bitdefender, and Bullguard) that may detect or block such malicious behavior on the system, and sets up persistence using launch agent and daemon property list files ("") to automatically restart the malware each time the user logs in.
0 kommentar(er)
