A newly discovered Mac malware with some very old coding has likely been targeting biomedical research facilities for at least two years without detection.
According to a blog post by Internet security firm Malwarebytes, the backdoor program’s primary functionality appears to be screen captures and webcam access. However, the spyware is also designed to capture machine uptime, determine and change mouse position, and simulate mouse clicks and key presses. Furthermore, it downloads other scripts designed to map, study and connect with additional devices on the affected machine’s local network.
Apple has already released an update “that will be automatically downloaded behind the scenes to protect against future infections,” Malwarebytes reported. (SC Media has contacted Apple for official comment.)
Researchers became aware of the threat after an IT administrator at an infected biomedical research facility alerted Thomas Reed, Malwarebytes’ director of Mac offerings, to unusual outgoing traffic coming from one of the bio lab’s computers. Malwarebytes named the malware Quimitchin, while Apple has assigned it the moniker Fruitfly.
“The malware was found infecting computers at three different U.S. biomedical research institutions, all at universities,” said Reed (who authored the blog post) in a brief interview with SC Media. “We’re not sure how they got there, but in the first case, there were indications that it had been there since January of 2015.” A forensic analysis suggests the malware may even be older than that, as researchers uncovered clues that Fruitfly has existed since at least October 2014.
The malware communicates with a command-and-control server, presumably to send the perpetrators information or images captured from infected machines. “As for what data they were trying to capture, there wasn’t really a clear indication of what they were looking for. The malware is a pretty general-purpose backdoor, so there’s a lot it could have captured,” Reed continued.
Malwarebytes found that Fruitfly is comprised of only two files, one of which contains a perl script featuring very old system calls that predate the macOS (OS X) operating system. One portion of code dates back as far as 1998. Further examination showed that Fruitfly also contains Linux shell code and is almost fully functional on Linux-based systems.
“The only reason I can think of that this malware hasn’t been spotted before now is that it is being used in very tightly targeted attacks, limiting its exposure,” Reed wrote in his blog. “There have been a number of stories over the past few years about Chinese and Russian hackers targeting and stealing U.S. and European scientific research. Although there is no evidence at this point linking this malware to a specific group, the fact that it’s been seen specifically at biomedical research institutions certainly seems like it could be the result of exactly that kind of espionage.”