New Mac Malware Uses Ancient Code to Spy on Biotech Firms

Written by

A Mac-based espionage malware that Apple calls “Fruitfly” is making the rounds, targeting biomedical research facilities.

Malwarebytes, which recently spotted the bug, said that the malware specializes in screen captures and webcam access, and can also determine screen size and mouse cursor position, change the mouse position, and simulate mouse clicks and key presses in a kind of rudimentary remote control functionality.

Malwarebytes also observed the malware downloading a perl script that can be used to build a map of all the other devices on the local network, giving information about each device including its IPv6 and IPv4 addresses, name on the network and the port that is in use. It also appears to be making attempts to connect to those devices.

“Although [there is] no evidence at this point linking this malware to a specific group, the fact that it's been seen specifically at biomedical research institutions seems like it could be the result of exactly that kind of espionage…at the heart of stories about Chinese and Russian hackers targeting and stealing US and European scientific research,” the firm noted in an analysis.

This is the first new Mac malware of 2017, discovered after an IT administrator spotted some strange outgoing network traffic from a particular Mac. Malwarebytes noted that the code is unlike anything its researchers have seen before.

Thomas Reed, director of Mac Offerings at Malwarebytes, told Infosecurity that the code uses an odd mixture of perl, Java and native Mac binaries all in one file. This, plus the extreme age of some of the code, is “very unique,” he said.

The research team found that the malware was extremely simplistic on the surface, consisting of only two files and some truly ancient functions, as far as the tech world is concerned, dating back to pre-OS X days. In addition, the binary also includes the open source libjpeg code, which was last updated in 1998.

 “We shouldn't take the age of the code as too strong an indication of the age of the malware. This could also signify that the hackers behind it really don't know the Mac very well and were relying on old documentation. It could also be that they're using old system calls to avoid triggering any kind of behavioral detections that might be expecting more recent code.”

Nonetheless, Malwarebytes is calling the malware “Quimitchin” instead of Fruitfly, after the Aztec spies who would infiltrate other tribes.

“Given the 'ancient' code, we thought the name fitting,” the analysis noted.

And while the malware could go back years, it hasn't been discovered until now. That’s likely because it’s being used in very tightly targeted attacks, limiting its exposure.

“This appears to be a tightly targeted attack on a specific group. This reinforces my belief that future Mac threats will not be widespread,” Reed told us. “Apple tends to crush any widespread malware very quickly, as in the case of the KeRanger ransomware. In order for malware to be successful on the Mac, it must be stealthy and avoid attracting attention. The only way to do that is to tightly control who gets infected, by choosing to infect only selected victims. Such malware can be very hard to spot.”

Apple said it would release updates soon to protect against future infections. Researchers are still not sure exactly how this malware gets onto the system, but the usual advice almost certainly applies: beware of phishing attacks, and avoid downloading anything from unknown sites. Once infected though, Reed said it’s easy to remove with standard AV software.

Photo © science photo

What’s hot on Infosecurity Magazine?