How to set up multiple monitors with your Mac. With just a few minutes of your time and the appropriate accessories, you can connect an extra display to your Mac and increase your productivity.

In June, security researchers discovered a new variant of Mac malware: ThiefQuest (also known as EvilQuest, EffectiveIdiot, and Mac.Ransom.K).

Apr 20, 2016 Installing a triple-boot environment on a Macbook Pro is not as straight-forward as one might think or read on the internet. This guide explains how to install Windows 10 and Linux (Ubuntu) alongside with OSX and share data via a common partition. As an add-on, I explain how to access the raw partitions to boot the foreign OS not only natively but also in a virtual machine. FREE AAA MOBILE APP. Our new and improved mobile app makes it easier than ever to get great savings with the My Savings searchable list, Featured Deal highlights, and personalization when you Like your favorites. Triple protection Protects not only you, but your friends, too. Our award-winning detection technology scans for Mac, PC, and Android-based viruses and spyware. So you can feel better knowing your beloved Mac is protected — and that you're not sharing viruses with any. As an open-source game engine that works across a number of operating systems, TripleA for Mac allows users to enjoy playing different strategy and war-inspired board games in single-player.

ThiefQuest created a flurry of excitement in the Mac security community, because it appeared to be something extremely rare: honest-to-goodness ransomware for macOS. However, after further analysis, it turned out to be something even more interesting: an evolving hybrid threat that combines ransomware, spyware, and data theft capabilities.

Distribution method

ThiefQuest is being distributed through malicious installer files for pirated apps, including the DJ app Mixed In Key, the music production app Ableton, and the firewall app Little Snitch. It should be noted that all of these apps are legitimate software, and that their developers have nothing to do with ThiefQuest — only the pirated versions of the apps contain malicious components.

If a trojanized installer is not signed with an Apple Developer ID, users will see a warning when they click on it, but they will have the option to ignore this warning and launch the app anyway.

ThiefQuest as ransomware

ThiefQuest, at first glance, appears to be ransomware for macOS. When its ransomware functionality is triggered, ThiefQuest begins encrypting files on the infected system, and eventually directs the victim to a simple ransom note on their Desktop. The note informs the user that they have been infected, and instructs them to send $50 in bitcoin to an anonymous Bitcoin wallet address.

However, there are several reasons to suspect that the ransomware functionality of ThiefQuest isn’t really its primary purpose at all.

First of all, ThiefQuest doesn’t appear to take encryption all that seriously. It uses a weak standard to encrypt the compromised machine’s files — a fact that allowed malware researchers at SentinelOne to build a working decryptor tool within weeks of the new malware’s discovery.

Secondly, as security researcher Phil Stokes points out, ThiefQuest demands a relatively paltry ransom (just $50 USD), and offers no way for a victim to contact the bad guys to inform them that the ransom has been paid. In addition, researchers have noticed that the Bitcoin wallet address given in several different samples is identical, meaning that if one of the ransomware’s victims did decide to pay, there would be no way for anyone to know which infected computer had actually paid the ransom. As Stokes wryly notes, that generic Bitcoin wallet address has seen a grand total of zero transactions — meaning that whatever else it may be, ThiefQuest is not exactly a model of persuasive ransomware!

A final oddity of this “ransomware” is that it appears to leave an infected computer mostly intact: even after it is active, victims can still access and use their systems.

All of this means that if ThiefQuest is only ransomware and nothing more, then things don’t add up. It’s either very badly designed ransomware, or it’s something else — perhaps something that was never intended as ransomware in the first place — with the half-baked ransomware functionality serving as a distraction.

ThiefQuest as spyware and data exfiltration malware

Upon closer inspection, the security researchers analyzing ThiefQuest discovered that it was indeed much more than just shoddy ransomware!

In his detailed two-part analysis, Patrick Wardle notes that the malware’s code contains evidence of spyware functionality. There is a command that starts up a keylogger, and then records keypresses on the system and passes them on to several other functions, which allows the captured data to be outputted as formatted strings.

Wardle also found that ThiefQuest is designed to steal certain types of files from its victims. Once activated, the malware’s data exfiltration functionality creates an inventory of the directories and files on the infected machine, and then searches for files that fall into certain sensitive categories (in particular, certificates, cryptocurrency wallets, and keys). If ThiefQuest finds files of interest, it will send their contents back to its command and control server.

ThiefQuest can also contact its C&C server to receive malicious payloads, which can then be executed on the infected machine. The malware appears to support both in-memory payload execution and, as a backup, on-disk execution. In addition, ThiefQuest is able to execute commands given to it by the remote server, and it can also retrieve encoded files and download them onto a compromised system.

In short, whatever failings ThiefQuest may have in the ransomware department, it more than makes up for them with the sophistication and power of its spyware and data exfiltration capabilities!

Other notable features

Triple A For Mac Catalina

ThiefQuest has a few other interesting features that are worth mentioning.

Once launched, the malware checks to see if it’s running in a virtual machine (VM) or not. VMs are virtualized operating systems that run in specialized software on a host computer, sort of an “OS within an OS”. Security researchers use virtual machines to study malware safely, so this VM check may indicate that ThiefQuest is attempting to avoid analysis.

In addition, ThiefQuest checks the processes currently running on the system and looks for well-known security products; if it finds one of these, the malware will attempt to shut it down in order to prevent detection.

Finally, ThiefQuest appears to be under active development. New variants have already appeared since the malware was first discovered and analyzed, and one of the new samples even appears to call out Wardle by name — it contains an encrypted string which, when decoded, reads “Hello Patrick”. Whatever else you can say about them, ThiefQuest’s authors appear to have a sense of humor!

How to avoid infection

ThiefQuest is a serious and potentially dangerous hybrid threat for macOS. But there are several simple things you can do to stay safe:

Say no to piracy

At the time of writing, all samples of ThiefQuest discovered “in the wild” have been found in pirated versions of popular software. Such pirated apps are often distributed through forums and on filesharing sites. The best way to prevent a ThiefQuest infection is to avoid pirated software and the websites that distribute it. Ethical and legal considerations aside, pirated apps are one of the most common infection vectors used by Mac malware — reason enough to stay far away from them.

Follow app safety guidelines

Make sure you’re following best practices for running apps safely on your Mac. Only download apps from the Mac App Store, or directly from the website of an app developer that you know and trust. In addition, pay attention to the alert dialogs shown by macOS. If your Mac warns you that an app hasn’t been signed with a valid Apple Developer ID, then don’t install that app!

Use an anti-malware tool

Mac users should always run a reputable, regularly updated malware detection tool as an added precaution. Such tools are equipped to detect newer malware variants like ThiefQuest, and in addition will help keep you safe from Potentially Unwanted Programs, keyloggers, and other security and privacy threats. If you don’t have this kind of protection on your system yet, MacScan 3 is available as a 30-day trial download (and has already been updated with definitions for multiple variants of ThiefQuest).

ThiefQuest is a fascinating piece of malware from a security research standpoint, and a prime example of the continuing evolution of Mac malware. But it’s also a potentially serious threat to Mac users — so if you have additional questions about how to keep yourself safe from ThiefQuest, or deal with a possible infection, please feel free to reach out to us and ask for help.

You can make all of your displays mirror each other, or extend your workspace with different apps and windows on each display. If you use an external display with your Mac notebook, you can also use closed-display mode.

Check your requirements

• Check the ports on your Mac to find out whether you need an adapter.
• Check how many displays your Mac supports: Choose Apple menu  > About This Mac, click Support, then click Specifications. On the webpage that appears, the number of displays your Mac supports appears under Video Support.

Use extended desktop mode

Maximize your workspace with extended desktop mode, which lets you enjoy full-screen apps and windows on each monitor. Then, use Mission Control to organize apps and windows across your displays. If your Dock is on the bottom of your screen, it appears on any of your displays when you move your pointer to the bottom edge of your display.

Turn on extended desktop mode

1. Make sure that your external display is turned on and connected to your Mac.
2. Choose Apple menu  > System Preferences, then click Displays.
3. Click the Arrangement tab.
4. Make sure that the Mirror Displays checkbox isn’t selected.

Arrange your displays or change your primary display

So that you can move apps and windows across your displays in one continuous motion, arrange your displays to match the setup on your desk. You can also change your primary display, which is where your desktop icons and app windows first appear.

1. Choose Apple menu  > System Preferences, then click Displays.
2. Click the Arrangement tab.
3. To change the position of a display, drag it to the desired position. A red border appears around the display as it's moved.
4. To set a different display as the primary display, drag the menu bar to the other display.
   

Use video mirroring

Triple A Macon Ga

With video mirroring, all of your displays show the same apps and windows.

Turn on video mirroring

1. Make sure that your external display is turned on and connected to your Mac.
2. Choose Apple menu  > System Preferences, click Displays, then click the Arrangement tab.
3. Make sure that the Mirror Displays checkbox is selected.

Use AirPlay

With Apple TV, you can mirror the entire display of your Mac to your TV, or use your TV as a separate display. To turn on AirPlay, follow these steps:

1. Make sure that your TV is turned on.
2. Choose in the menu bar, then choose your Apple TV. If an AirPlay passcode appears on your TV screen, enter the passcode on your Mac.
3. Mirror your display or use your TV as a separate display:
   • To mirror your display, choose , then choose Mirror Built-in Display.
   • To use your TV as a separate display, choose , then choose Use As Separate Display.
4. To turn off AirPlay, choose , then choose Turn AirPlay Off.

Triple A Macedonian Feta Cheese

If you don't see in the menu bar, choose Apple menu  > System Preferences, click Displays, then select the 'Show mirroring options in the menu bar when available' checkbox.

Learn more about how to AirPlay video from your Mac.

Triple A For Machine

Learn more