The team over at Malwarebytes has recently discovered what they’re calling “the first Mac malware of 2017”. The Fruitfly malware has been using antiquated code to help it run undetected for quite some time on macOS systems. It has reportedly been used in targeted attacks at biomedical research institutions.
The malware, which Malwarebytes’ software detects as ‘OSX.Backdoor.Quimitchin’, contains code that dates before OS X. Some of the code even shows signs of potentially running on Linux, leading the team to believe that the malware may have had or has a form of it on that operating system as well. The malware was discovered when an IT administrator noticed irregular outgoing network activity from a specific Mac.
Containing just two files, the malware uses a hidden script to communicate back to servers, take screenshots on both Mac and Linux, and grab the system’s uptime. The script also executes a secondary script and Java class with the ability to hide its icon from showing in the macOS Dock. Malwarebytes reports that the malware looks as though its primary intention is to grab screenshots and gain webcam access.
What’s most interesting is that the malware is using antique system calls to operate. A few of them including: SGGetChannelDeviceList, SGSetChannelDevice, SGSetChannelDeviceInput, and SGStartRecord. The malware is even running libjpeg code, an open source project to read and write JPEG images last updated in 1998.
Malwarebytes did further digging into the malware and discovered it had even gone through changes to “support” Mac OS X Yosemite indicating the malware is at least older than late-2014. The old code, and update to support Yosemite of course doesn’t indicate the exact malware’s creation date. Using old system calls the way it does, the malware’s developers could have purposefully made these code choices to avoid detection.
Malwarebytes indicates that Apple calls this malware Fruitfly and that an update should be released soon to resolve the issue.