Mac malware uses 'ancient' code to target biomedical facilities

Quimitchin Mac malware may be the first of 2017 to hit the headlines, but its code is buried in history.

screen-shot-2017-01-19-at-08-25-36.jpg
Malwarebytes

A strain of malware which targets Mac machines has been spotted in the wild, and while new, makes use of antiquated code to target biomedical facilities.

This week, researchers from Malwarebytes said the malware, dubbed Quimitchin, was discovered after an IT administrator detected unusual traffic flowing out of a computer based on Apple's Mac OS X operating system.

According to the team, Quimitchin has been "in existence, undetected, for some time" and has been primarily used to target biomedical research centers.

Quimitchin is named after ancient Aztec spies and suits as the malicious code's primary purpose is to spy on victims, although it is also registered by Apple as Fruitfly.

The malware is able to perform various tasks including grabbing screen sizes and mouse cursor positions, taking screenshots, simulating mouse clicks and key presses, as well as rudimentary remote control functions.

The simplistic malware consists of only two files on the surface, a .plist file that simply keeps the other .client file running at all times. The .plist file includes a simple launch agent and the .client file takes the form of an obfuscated perl script used to communicate with command and control (C&C) centers.

"The script also includes some code for taking screen captures via shell commands," the team says. "Interestingly, it has code to do this both using the Mac "screencapture" command and the Linux "xwd" command. It also has code to get the system's uptime, using the Mac "uptime" command or the Linux "cat /proc/uptime" command."

While the malware's binary code is focused on screen captures and webcam access, Quimitchin utilizes system calls which Malwarebytes dubs "truly antique" as they date back to pre-OS X times. In addition, the binary includes open-source libjpeg code, which was last updated in 1998.

If Quimitchin infects a system, the malware will download a perl script from the C&C server which uses mDNS to build a map of all other devices on the local network, including their names, IPv6 and IPv4 addresses, and ports in use. Another script attempts to connect to these devices.

"The presence of Linux shell commands in the original script led us to try running this malware on a Linux machine, where we found that -- with the exception of the Mach-O binary -- everything ran just fine," the analysis continued. "This suggests that there may be a variant of this malware that is expressly designed to run on Linux, perhaps even with a Linux executable in place of the Mach-O executable. However, we have not found such a sample."

The security researchers were also able to locate several Quimitchin Windows executable files which communicate with the same C&C server, however, they were only submitted to VirusTotal once and are detected as generic, basic malicious code.

Quimitchin's elderly backbone does not necessarily mean the malware has been in circulation for that long, as it could be the cyberattackers behind it do not understand Mac well and were relying on old code and documentation when creating the malware.

It may also be that old system calls are in use to try and avoid detection by modern engines -- but the simplistic and ancient code makes it easy to detect and eradicate.

Malwarebytes says the only reason Quimitchin hasn't appeared on the radar before is that the malware is used in very specific, targeted campaigns, which limits exposure. So far, only biomedical research facilities are at risk, but Apple has already released a patch behind the scenes which will prevent infection without the need for a major security update.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All