Ancient Mac Malware Found Used in Recent Attacks, Can Work on Linux Too

Published on: January 19th, 2017

Apple has recently patched macOS against possible attacks from a backdoor trojan discovered by Malwarebytes, which Apple engineers call Fruitfly, and Malwarebytes detects as OSX.Backdoor.Quimitchin.

Discovered this year, Malwarebytes says this Mac backdoor contains routines that allow it to execute in some limited capacity on Linux systems.

An analysis of the code revealed that the malware is easy to detect because of its persistence mechanism, which works by creating a launch agent for a hidden file, a common practice that most Mac security products search for and should be able to easily detect.

Fruitfly malware built using ancient code
Artifacts in the malware’s source code point to the fact that this threat existed for many years without being detected. Most notably, Fruitfly received updates for Yosemite (Mac OS X 10.10), which was released in October 2014.

Furthermore, the malware uses very ancient code, such as system calls that haven’t been used by developers since before the release of OS X (2001), and a library called libjpeg, which was last time updated in 1998.

What this means is that its creator has written the code long time ago and gradually updated it along the way, or just used old deprecated code, which he might have copy-pasted from other malware or code-sharing sites.

The Malwarebytes team also suspects that the Fruitfly author might have used old code “to avoid triggering any kind of behavioral detection [systems] that might be expecting more recent code.”

Fruitfly can take screenshots, access the webcam
According to Malwarebytes, Fruitfly can take screenshots of the user’s screen, access the webcam, simulate key presses, interact with the mouse cursor, provide remote control access, hide its process from the macOS Dock, and upload stolen data.

Some of these features are also doubled by code that allows Fruitfly to run on Linux machines, albeit researchers have not spotted a Linux variant in the wild.

Additionally, a mysterious Windows malware also connected and used the same C&C servers as Fruitfly, making researchers believe that the author of this tool might be operating malware with versions for all three major operating systems.

“The only reason I can think of that this malware hasn’t been spotted before now is that it is being used in very tightly targeted attacks, limiting its exposure,” said Thomas Reed, the Malwarebytes analyst that analyzed Fruitfly after a system administrator had contacted him after he noticed suspicious traffic in his network.

Reed didn’t provide any in-depth details or evidence, but he also said that Fruitfly might be used in targeted attacks against biomedical research centers, possibly by actors focused on economic or state-sponsored espionage.

A technical breakdown of Fruitfly’s mode of operation is available on the Malwarebytes blog, along with indicators of compromise.