Security researchers have discovered a new Mac malware that is being used in targeted attacks on biomedical research organizations. However, while the malicious code is new to security researchers, it is not a new threat to research organizations. The Mac malware is believed to have been stealing secrets for many years.
The malware, named Fruitfly by Apple, was discovered by an IT admin at Malwarebytes. Malwarebytes calls the Mac malware OSX.Backdoor.Quimitchin after the Aztec spies who infiltrated other tribes.
Once installed, the malware takes snapshots of the screen and accesses the webcam on infected devices. Furthermore, the malware is able to simulate keyboard and mouse clicks allowing a hacker to take full control the device remotely.
The malware also scans the infected device for local area networks using a Perl script that uses mDNS to build a map of the local area network. It obtains IPv6 and IPv4 addresses, network names, and the port address used by the infected machine and attempts to connect to other identified network devices. A Perl script is used to communicate with the malware’s Command and Control center.
At present, neither the researchers at Malwarebytes nor Apple have figured out how the malware is spread. The malware contains Linux shell commands and “ancient” coding, which according to Malwarebytes date back to before Apple launched its OS X operating system. The binary includes code that dates to before 1998, which could indicate that the malware has been used for decades, although MalwareBytes suggests that the creators just don’t know much about Macs.
The malware is actually quite easy to identify according to Malwarebytes, providing you know where to look. However, since it is believed to have been used in highly targeted attacks on biomedical companies, it has – until now – evaded detection.
It is not clear when the malware was developed, although Malwarebytes speculates that it has been active for a number of years, certainly before the 2014 release of OS X Yosemite in October 2014 since the code was updated to account for Apple’s new release.
Apple has responded by issuing an update that protects its devices against Fruitfly malware; however, these is no telling how much information has been stolen, sold on, and used by other biomedical research firms.
It is unclear where the malware came from and who the developers are, although a tentative finger has been pointed at China and Russia. Actors in those countries are known to have targeted medical firms and universities in order to obtain scientific data.