- Jan 8, 2011
- 22,361
The first Mac malware of 2017 was brought to my attention by an IT admin, who spotted some strange outgoing network traffic from a particular Mac. This led to the discovery of a piece of malware unlike anything I’ve seen before, which appears to have actually been in existence, undetected, for some time, and which seems to be targeting biomedical research centers.
<snippet>
The binary itself seems primarily interested in screen captures and webcam access, but interestingly, it uses some truly antique system calls for those purposes. [...] as far as the tech world is concerned, dating back to pre-OS X days.
[...]
However, we shouldn’t take the age of the code as too strong an indication of the age of the malware. This could also signify that the hackers behind it really don’t know the Mac very well and were relying on old documentation. It could also be that they’re using old system calls to avoid triggering any kind of behavioral detections that might be expecting more recent code.
[...]
The only reason I can think of that this malware hasn’t been spotted before now is that it is being used in very tightly targeted attacks, limiting its exposure. There have been a number of stories over the past few years about Chinese and Russian hackers targeting and stealing US and European scientific research. Although there is no evidence at this point linking this malware to a specific group, the fact that it’s been seen specifically at biomedical research institutions certainly seems like it could be the result of exactly that kind of espionage.
[...]
Malwarebytes will detect this malware as OSX.Backdoor.Quimitchin.
Apple calls this malware Fruitfly and has released an update that will be automatically downloaded behind the scenes to protect against future infections.
Read Full Article: https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/
Quote from Comments:
Q: So how does it spread? Does running as a standard user as opposed to an admin account prevent its installation?
A: We still don't know how it gets installed. All samples so far have been observed installed in user space, so running in a standard user account will not protect against this.
<snippet>
The binary itself seems primarily interested in screen captures and webcam access, but interestingly, it uses some truly antique system calls for those purposes. [...] as far as the tech world is concerned, dating back to pre-OS X days.
[...]
However, we shouldn’t take the age of the code as too strong an indication of the age of the malware. This could also signify that the hackers behind it really don’t know the Mac very well and were relying on old documentation. It could also be that they’re using old system calls to avoid triggering any kind of behavioral detections that might be expecting more recent code.
[...]
The only reason I can think of that this malware hasn’t been spotted before now is that it is being used in very tightly targeted attacks, limiting its exposure. There have been a number of stories over the past few years about Chinese and Russian hackers targeting and stealing US and European scientific research. Although there is no evidence at this point linking this malware to a specific group, the fact that it’s been seen specifically at biomedical research institutions certainly seems like it could be the result of exactly that kind of espionage.
[...]
Malwarebytes will detect this malware as OSX.Backdoor.Quimitchin.
Apple calls this malware Fruitfly and has released an update that will be automatically downloaded behind the scenes to protect against future infections.
Read Full Article: https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/
Quote from Comments:
Q: So how does it spread? Does running as a standard user as opposed to an admin account prevent its installation?
A: We still don't know how it gets installed. All samples so far have been observed installed in user space, so running in a standard user account will not protect against this.
