Mac malware uses 'truly antique' methods to conduct espionage on scientific facilities
Malwarebytes believes the malware was only used in extremely targeted attacks.
A strain of malware targeting Apple Mac computers, the first of its kind found in 2017, has been found to use an "ancient" code to spy on biomedical research facilities. Known as Quimitchin, evidence suggests it has been in existence undetected for a number of years.
On the surface the malware seems simplistic, but researcher Thomas Reed said it is only likely to have stayed under the radar for so long because it was being used in what he called "very tightly targeted attacks". In a blog post, he said that it was unlike anything he had seen before.
Quimitchin is designed to take screenshots of an infected computer system and gain access to the webcam functionality. It can also be used by an attacker to simulate mouse clicks and key presses, and to change the position of a computer cursor.
However, what makes this Mac malware stand out is that it uses some "truly antique" methods to carry out these commands, with some functions dating back to "pre-OSX" days and one piece using a piece of open-source code last updated in 1998.
Reed said the age of some of the code could "suggest that this malware goes back decades". And despite some conflicting creation dates on the internal scripts, with one from January 2015, the researcher maintained it has likely been "circulating undetected for a long time".
One theory put forward by the Malwarebytes researcher is the hackers have been using old code to "avoid triggering any kind of behavioural detections that might be expecting more recent code". It remains unknown how the malware is spread to its victims.
"Ironically, despite the age and sophistication of this malware, it uses the same old unsophisticated technique for persistence that so many other pieces of Mac malware do: a hidden file and a launch agent. This makes it easy to spot," Reed said.
"The only reason I can think of that this malware hasn't been spotted before now is that it is being used in very tightly targeted attacks, limiting its exposure," he continued.
"There have been a number of stories over the past few years about Chinese and Russian hackers targeting and stealing US and European scientific research. Although there is no evidence at this point linking this malware to a specific group, the fact that it's been seen specifically at biomedical research institutions certainly seems like it could be the result of exactly that kind of espionage."
In response to the find, Apple codenamed the malware family as 'Fruitfly', and has now released an update that will be automatically downloaded on to users computers to help fend off any future infections of this mysterious virus.
© Copyright IBTimes 2024. All rights reserved.