Security researchers from Malwarebytes have identified strange traffic originating from a Mac. The unusual traffic was identified by IT admins when investigated led to espionage malware describes as Quimitchin. (Apple calls this as ‘Fruitfly’) The malware appears to have been existed for a while and undetected for quite a long time. One of the timestamp was dated back to Jan 2015, however there are lot of unknowns about its origin at this time.
The purpose of this malware appears to be performing screen captures & webcam access which is a characteristic of most espionage tools. As per investigation, this tool has been targeting primarily scientific research hence it’s unsure who is behind this espionage malware.
The Mac malware primarily has two files, .client & .plist files.
- .plist files keeps .client running all times
- .client has the actual payload which is minified& obfuscated perl scipt. The perl script communicates with CnC servers.
The script primarily takes screenshots via shell commands. It has code to the same operation using Mac screen capture command & Linux ‘xwd’ command. It can even get system uptime information using the Mac ‘uptime’ command and Linux “cat/proc/uptime” command.
“The most interesting part of the script can the found in the __DATA__ section at the end. Found there are a Mach-O binary, a second perl script and a Java class, which the script extracts, writes to the /tmp/ folder and executes. In the case of the Java class file, it is run with apple.awt.UIElement set to true, which means that it does not show up in the Dock.” – Malware bytes explained.
“These are some truly ancient functions, as far as the tech world is concerned, dating back to pre-OS X days,” he wrote in the blog post. “In addition, the binary also includes the open source libjpeg code, which was last updated in 1998.” List below
- SGGetChannelDeviceList
- SGSetChannelDevice
- SGSetChannelDeviceInput
- SGInitialize
- SGSetDataRef
- SGNewChannel
- QTNewGWorld
- SGSetGWorld
- SGSetChannelBounds
- SGSetChannelUsage
- SGSetDataProc
- SGStartRecord
- SGGetChannelSampleDescription
(Quimitchin – were Aztec spies who would infiltrate other tribes. Given the “ancient” code, we thought the name fitting.)
Detailed technical details is available at Malwarebytes
Apple has released an update for Quimitchin malware that will be downloaded automatically and installed to protect against such infections.