Security researchers have described what they consider to be “the first Mac malware of 2017.” It has a simple structure and includes some antiquated code; but nevertheless appears to have existed undetected for some time — perhaps even several years — while possibly targeting biomedical research institutions.
It was discovered when an IT admin noticed unusual traffic coming from a particular Mac. Investigation led Malwarebytes to the espionage malware it now describes as Quimitchin (named after Aztec spies who would infiltrate other tribes — the spies and the code are both ancient).
Quimitchin comprises just two files: a .plist file that simply keeps the .client running at all times, and the .client file containing the payload. The latter is a ‘minified and obfuscated’ perl script that is more novel in design. It combines three components, Thomas Reed, director of Mac offerings at Malwarebytes and author of the blog post told SecurityWeek: “a Mac binary, another perl script and a Java class tacked on at the end in the __DATA__ section of the main perl script. The script extracts these, writes them to /tmp/ and executes them.”
Its primary purpose seems to be screen captures and webcam access, making it a classic espionage tool. “It seems that this malware is trying to exfiltrate data from anything it can access. Since this has been seen infecting Macs at biomedical facilities, we believe it’s being used for espionage to steal scientific data — but we don’t know at this point who might be behind the malware,” he said.
Somewhat surprisingly the code uses antique system calls. “These are some truly ancient functions, as far as the tech world is concerned, dating back to pre-OS X days,” he wrote in the blog post. “In addition, the binary also includes the open source libjpeg code, which was last updated in 1998.”
Part of the script provides a rudimentary remote control function. It includes an additional method for screen capture and getting the screen size and cursor position; and can receive commands that change the cursor position, and simulate mouse clicks and key presses.
The script also contains Linux shell commands. Running the malware on a Linux machine, Malwarebytes “found that – with the exception of the Mach-O binary – everything ran just fine.” It is possible that there is a specific Linux variant of the malware in existence — but the researchers have not been able to find one. It did find two Windows executable files, courtesy of VirusTotal, that communicated with the same C&C server. One of them even used the same libjpeg library, which hasn’t been updated since 1998, as that used by Quimitchin.
Quimitchin consequently presents a conundrum. It is simple in design, yet seems to have been undetected for several years. “The only reason I can think of that this malware hasn’t been spotted before now,” suggests Reed, “is that it is being used in very tightly targeted attacks, limiting its exposure. There have been a number of stories over the past few years about Chinese and Russian hackers targeting and stealing US and European scientific research. Although there is no evidence at this point linking this malware to a specific group, the fact that it’s been seen specifically at biomedical research institutions certainly seems like it could be the result of exactly that kind of espionage.”
David Harley, a senior research fellow with ESET, and maintainer of Mac Virus (The Official Mac Virus Blogsite) agrees that this is possible. “The suggestion that this might be ‘tightly targeted’ is certainly viable,” he told SecurityWeek. “In recent years, there’s been a lot of Mac-targeting targeted malware that may well be state-sponsored. While I’m more familiar with such malware targeting political groups, it’s perfectly possible that it’s been used against research targets. And while it’s been a good while since I was involved in biomedical research myself, I suspect that a good many people in that field still prefer Macs to Windows.”
He is not so convinced, however, of the antiquity of the malware. Reed himself comments, “We shouldn’t take the age of the code as too strong an indication of the age of the malware. This could also signify that the hackers behind it really don’t know the Mac very well and were relying on old documentation. It could also be that they’re using old system calls to avoid triggering any kind of behavioral detections that might be expecting more recent code.”
Harley adds, “Malware authors have never been reluctant to include old techniques in new malware in the hope of having it function on a wider range of systems.”
But the bottom line is that however simple, or however old, it works. It was found in situ communicating with its C&C server. It is, therefore, sophisticated enough. There is no indication in the Malwarebytes report on the attack vector used to deliver the malware, nor how long it operated before discovery — nor what if any data it exfiltrated.
It is, writes Reed, “easy to spot, given any reason to look at the infected machine closely (such as unusual network traffic). It also easy to detect and easy to remove.” Malwarebytes detects this malware, and other good Mac AVs will do similar soon. Apple calls it ‘Fruitfly’, and has already released an update that will be automatically downloaded behind the scenes to protect against future infections.