nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

'Ancient' Mac backdoor discovered that targets medical research firms

More secure than PC? Ha!

By John Leyden, 18 Jan 2017

Security researchers at Malwarebytes have discovered a Mac backdoor using antiquated code that targets biomedical research facilities.

The malware was probably created years ago but has only recently been discovered. Malwarebytes speculates that it wasn't found before because it was only ever used in targeted attacks, limiting its exposure.

US and European scientific research is known to be targeted by Chinese and Russian hackers.

The malware only came to light after an alert admin spotted strange outgoing network traffic from a particular Mac. This led to the discovery of a piece of malware, which Malwarebytes detects as Quimitchin.

The malware features antique system calls, some dating back to pre-OS X days. In addition, the binary also includes the open-source libjpeg code, which was last updated in 1998.

"The presence of Linux shell commands in the original script led us to try running this malware on a Linux machine, where we found that – with the exception of the Mach-O binary – everything ran just fine," Malwarebyes explains. "This suggests that there may be a variant of this malware that is expressly designed to run on Linux, perhaps even with a Linux executable in place of the Mach-O executable. However, we have not found such a sample."

The malware is primarily geared towards screen captures and webcam access on compromised Mac boxes. It is also capable of remote control and mapping the local network.

Apple, which calls the malware Fruitfly, is said to be about to release protection against the nasty. Other security vendors can be expected to follow. Malwarebytes is due to publish more information on the malicious software in a blog post due to be published on Wednesday afternoon. ®

Bootnote

Quimitchin were Aztec spies who would infiltrate other tribes. "Given the 'ancient' code, we thought the name fitting," Malwarebytes said.

The Register - Independent news and views for the tech community. Part of Situation Publishing