Apple is releasing an update to block newly discovered backdoor malware that may have been used for decades before its discovery.
According to security firm Malwarebytes, which first reported the issue to Apple, the Mac malware has likely flown under the radar for at least a decade, evading detection due to its focus on high-value targets.
Malwarebtes’ Mac security specialist, Thomas Reed, believes the only reason it hasn’t been discovered until now was because it was used sparingly, suggesting it could be linked to espionage campaigns run out of China or Russia.
Reed said the malware, which was “unlike anything I’ve seen before”, targeted macOS systems in biomedical research centres, and that it featured remnants of code written before 2000.
Reed was alerted to a possible Mac malware infection by an IT admin who noticed suspicious outbound network traffic on one Mac. Reed subsequently found the same infection on other Mac systems.
The malware downloaded a script from an attack server designed to discover devices on the same network as well as ports in use. Another file attempts to connect to other devices on the network.
The malware, labelled “Quimitchin” by Malwarebytes, is designed to spy on victims’ screen and keystrokes, as well as use a Mac’s webcam. It can also monitor how long an infected system is powered up. Curiously, screen shots can be taken via commands in both Mac and Linux, suggesting the malware may have been designed to target Linux machines at one point.
Other functions include capturing the device’s screen size, changing the mouse cursor’s position, and simulating key strokes, which according to Reed, likely offer the malware’s operator remote control capabilities. The malware also featured a line of code designed to keep itself running continuously in the background.
While there are signs the malware could be decades old, one file was created in January 2015 and there’s a comment in another file indicating it was updated for Mac OS X 10.10 Yosemite, which Apple released in 2014.
As to the meaning of apparent age of the malware, Reed points to a number of possibilities.
“This could signify that the hackers behind it really don’t know the Mac very well and were relying on old documentation. It could also be that they’re using old system calls to avoid triggering any kind of behavioral detections that might be expecting more recent code,” he wrote.
Apple has called the malware Fruitfly and will release an update that blacklists this malware, according to Reed. Apple employs a concealed anti-malware feature with its OS called XProtect, which it occasionally updates to block newly discovered malware.