Connect with us

Hi, what are you looking for?


Malware & Threats

New “Quimitchin” Mac Malware Emerges Targeting Scientific Research

Security researchers have described what they consider to be “the first Mac malware of 2017.” It has a simple structure and includes some antiquated code; but nevertheless appears to have existed undetected for some time — perhaps even several years — while possibly targeting biomedical research institutions.

Security researchers have described what they consider to be “the first Mac malware of 2017.” It has a simple structure and includes some antiquated code; but nevertheless appears to have existed undetected for some time — perhaps even several years — while possibly targeting biomedical research institutions.

It was discovered when an IT admin noticed unusual traffic coming from a particular Mac. Investigation led Malwarebytes to the espionage malware it now describes as Quimitchin (named after Aztec spies who would infiltrate other tribes — the spies and the code are both ancient).

Quimitchin comprises just two files: a .plist file that simply keeps the .client running at all times, and the .client file containing the payload. The latter is a ‘minified and obfuscated’ perl script that is more novel in design. It combines three components, Thomas Reed, director of Mac offerings at Malwarebytes and author of the blog post told SecurityWeek: “a Mac binary, another perl script and a Java class tacked on at the end in the __DATA__ section of the main perl script. The script extracts these, writes them to /tmp/ and executes them.”

Its primary purpose seems to be screen captures and webcam access, making it a classic espionage tool. “It seems that this malware is trying to exfiltrate data from anything it can access. Since this has been seen infecting Macs at biomedical facilities, we believe it’s being used for espionage to steal scientific data — but we don’t know at this point who might be behind the malware,” he said.

Somewhat surprisingly the code uses antique system calls. “These are some truly ancient functions, as far as the tech world is concerned, dating back to pre-OS X days,” he wrote in the blog post. “In addition, the binary also includes the open source libjpeg code, which was last updated in 1998.”

Part of the script provides a rudimentary remote control function. It includes an additional method for screen capture and getting the screen size and cursor position; and can receive commands that change the cursor position, and simulate mouse clicks and key presses.

The script also contains Linux shell commands. Running the malware on a Linux machine, Malwarebytes “found that – with the exception of the Mach-O binary – everything ran just fine.” It is possible that there is a specific Linux variant of the malware in existence — but the researchers have not been able to find one. It did find two Windows executable files, courtesy of VirusTotal, that communicated with the same C&C server. One of them even used the same libjpeg library, which hasn’t been updated since 1998, as that used by Quimitchin.

Advertisement. Scroll to continue reading.

Quimitchin consequently presents a conundrum. It is simple in design, yet seems to have been undetected for several years. “The only reason I can think of that this malware hasn’t been spotted before now,” suggests Reed, “is that it is being used in very tightly targeted attacks, limiting its exposure. There have been a number of stories over the past few years about Chinese and Russian hackers targeting and stealing US and European scientific research. Although there is no evidence at this point linking this malware to a specific group, the fact that it’s been seen specifically at biomedical research institutions certainly seems like it could be the result of exactly that kind of espionage.”

David Harley, a senior research fellow with ESET, and maintainer of Mac Virus (The Official Mac Virus Blogsite) agrees that this is possible. “The suggestion that this might be ‘tightly targeted’ is certainly viable,” he told SecurityWeek. “In recent years, there’s been a lot of Mac-targeting targeted malware that may well be state-sponsored. While I’m more familiar with such malware targeting political groups, it’s perfectly possible that it’s been used against research targets. And while it’s been a good while since I was involved in biomedical research myself, I suspect that a good many people in that field still prefer Macs to Windows.”

He is not so convinced, however, of the antiquity of the malware. Reed himself comments, “We shouldn’t take the age of the code as too strong an indication of the age of the malware. This could also signify that the hackers behind it really don’t know the Mac very well and were relying on old documentation. It could also be that they’re using old system calls to avoid triggering any kind of behavioral detections that might be expecting more recent code.”

Harley adds, “Malware authors have never been reluctant to include old techniques in new malware in the hope of having it function on a wider range of systems.”

But the bottom line is that however simple, or however old, it works. It was found in situ communicating with its C&C server. It is, therefore, sophisticated enough. There is no indication in the Malwarebytes report on the attack vector used to deliver the malware, nor how long it operated before discovery — nor what if any data it exfiltrated.

It is, writes Reed, “easy to spot, given any reason to look at the infected machine closely (such as unusual network traffic). It also easy to detect and easy to remove.” Malwarebytes detects this malware, and other good Mac AVs will do similar soon. Apple calls it ‘Fruitfly’, and has already released an update that will be automatically downloaded behind the scenes to protect against future infections.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...