Malwarebytes Discovers ‘Fruitfly’ Malware in macOS That Runs Using ‘Antiquated Code’

Security software development firm Malwarebytes has just exposed what could be the first known case of Mac malware for the year of 2017.

It appears to be a highly antiquated piece of malware. In other words, it’s not super advanced and it’s using methods to infect machines that are so well-known that only a small number of unsuspecting users would even fall victim to it.

Malwarebytes points out that Fruitfly is detected by “OSX.Backdoor.Quimitchin,” which is using code that actually predates OS X itself. The report adds that some of the code could show signs of potentially running on Linux. The malware was first discerned by an IT administrator who became aware of an irregular amount of outgoing network activity from a specific Mac.
“Another clue, of course, is the age of some of the code, which could potentially suggest that this malware goes back decades. However, we shouldn’t take the age of the code as too strong an indication of the age of the malware. This could also signify that the hackers behind it really don’t know the Mac very well and were relying on old documentation. It could also be that they’re using old system calls to avoid triggering any kind of behavioral detections that might be expecting more recent code.
Ironically, despite the age and sophistication of this malware, it uses the same old unsophisticated technique for persistence that so many other pieces of Mac malware do: a hidden file and a launch agent. This makes it easy to spot, given any reason to look at the infected machine closely (such as unusual network traffic). It also makes it easy to detect and easy to remove.”
The experts who conducted the reverse engineering of the malware found comment files that suggest this malware has been in effect for quite some time; at least since OS X Yosemite (launched in 2014). The reason this malware may have gone unnoticed for so long was because it targeted a very small sample of machines. Had it have been present on more machines, it may have been noticed and reported much faster.

It’s very unlikely that your Mac at home has been infected with this malware, which is being dubbed OSX.Backdoor.Quimitchin, named after the Aztec spies who were known for infiltrating other tribes for information. Nevertheless, that’s not to say that other rogue malware couldn’t infect your machine, so you should always be wary of what you download.


blog comments powered by Disqus
Octofinder Blog Catalog