Malwarebytes Discovers 'First Mac Malware of 2017'

wiredmikey writes: Security researchers have a uncovered a Mac OS based espionage malware they have named "Quimitchin." The malware is what they consider to be "the first Mac malware of 2017," which appears to be a classic espionage tool. While it has some old code and appears to have existed undetected for some time, it works. It was discovered when an IT admin noticed unusual traffic coming from a particular Mac, and has been seen infecting Macs at biomedical facilities. From SecurityWeek.com: "Quimitchin comprises just two files: a .plist file that simply keeps the .client running at all times, and the .client file containing the payload. The latter is a 'minified and obfuscated' perl script that is more novel in design. It combines three components, Thomas Reed, director of Mac offerings at Malwarebytes and author of the blog post told SecurityWeek: 'a Mac binary, another perl script and a Java class tacked on at the end in the __DATA__ section of the main perl script. The script extracts these, writes them to /tmp/ and executes them.' Its primary purpose seems to be screen captures and webcam access, making it a classic espionage tool. Somewhat surprisingly the code uses antique system calls. 'These are some truly ancient functions, as far as the tech world is concerned, dating back to pre-OS X days,' he wrote in the blog post. 'In addition, the binary also includes the open source libjpeg code, which was last updated in 1998.' The script also contains Linux shell commands. Running the malware on a Linux machine, Malwarebytes 'found that -- with the exception of the Mach-O binary -- everything ran just fine.' It is possible that there is a specific Linux variant of the malware in existence -- but the researchers have not been able to find one. It did find two Windows executable files, courtesy of VirusTotal, that communicated with the same CC server. One of them even used the same libjpeg library, which hasn't been updated since 1998, as that used by Quimitchin."

Mac OS based espionage malware

[khz6955]

'Security researchers have a uncovered a Mac OS based espionage malware they have named "Quimitchin." .. an IT admin noticed unusual traffic coming from a particular Mac, and has been seen infecting Macs at biomedical facilities.'

How exactly does the malware get onto the Mac without the end user downloading and installing the malware and providing it with the admin password?

Re:Mac OS based espionage malware

From TFA it apparently runs in userspace not as root

Re:Mac OS based espionage malware

[ahabswhale]

It doesn't. Someone has to authorize it with the admin password.

Re:Mac OS based espionage malware

[TheRaven64]

It's also probably difficult to get a user to accidentally install it. Java used to be installed by default on MacOS X, then there was a thing where, on first use, it would prompt the user and ask them if they wanted it. Now there's a thing saying 'you need Java to do this, go to this web page and download and install it, then try again'. Most casual users will say 'that looks hard, I can't be bothered'.

antique system calls

[phantomfive]

This 'security researcher' may be surprised to find that most of the software he uses on a Mac calls some 'antique system calls' that existed before OSX.