Apple has pushed an update to XProtect which may detect ThiefQuest

Apple has pushed an update overnight, to the data files used by XProtect, bringing its version number to 2125, dated 6 July 2020. This is an early update: in the normal fortnightly update cycle, the next would have been expected around 9 July, together with an update to MRT.

Apple doesn’t release information about what these updates add or change, and now obfuscates the identities of malware detected by XProtect using internal code names. XProtect’s Yara definitions include one new entry for an entity named MACOS.6cb9746. There are no other changes, which implies this may add detection for the recently discovered malware/ransomware ThiefQuest or EvilQuest.

You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.

A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan, Sierra, High Sierra, Mojave and Catalina, available from their product page. If your Mac has not yet installed this update, you can force an update using SilentKnight, LockRattler, or at the command line.

I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.

I maintain lists of the current versions of security data files for Catalina on this page, Mojave on this page, High Sierra on this page, Sierra on this page, and El Capitan on this page.


Patrick Wardle @patrickwardle has confirmed that this new version of XProtect data does indeed now detect the ThiefQuest/EvilQuest ransomware. Unfortunately, in the last few days a second variant of that malware has emerged, and the new definition doesn’t detect that new version. So stand by for another XProtect update as the game of cat and mouse goes on.