Malwarebytes Discovers 'First Mac Malware of 2017'

wiredmikey writes: Security researchers have a uncovered a Mac OS based espionage malware they have named "Quimitchin." The malware is what they consider to be "the first Mac malware of 2017," which appears to be a classic espionage tool. While it has some old code and appears to have existed undetected for some time, it works. It was discovered when an IT admin noticed unusual traffic coming from a particular Mac, and has been seen infecting Macs at biomedical facilities. From SecurityWeek.com: "Quimitchin comprises just two files: a .plist file that simply keeps the .client running at all times, and the .client file containing the payload. The latter is a 'minified and obfuscated' perl script that is more novel in design. It combines three components, Thomas Reed, director of Mac offerings at Malwarebytes and author of the blog post told SecurityWeek: 'a Mac binary, another perl script and a Java class tacked on at the end in the __DATA__ section of the main perl script. The script extracts these, writes them to /tmp/ and executes them.' Its primary purpose seems to be screen captures and webcam access, making it a classic espionage tool. Somewhat surprisingly the code uses antique system calls. 'These are some truly ancient functions, as far as the tech world is concerned, dating back to pre-OS X days,' he wrote in the blog post. 'In addition, the binary also includes the open source libjpeg code, which was last updated in 1998.' The script also contains Linux shell commands. Running the malware on a Linux machine, Malwarebytes 'found that -- with the exception of the Mach-O binary -- everything ran just fine.' It is possible that there is a specific Linux variant of the malware in existence -- but the researchers have not been able to find one. It did find two Windows executable files, courtesy of VirusTotal, that communicated with the same CC server. One of them even used the same libjpeg library, which hasn't been updated since 1998, as that used by Quimitchin."

Quim Itchin'

[Zaelath]

Seriously?

Re:

[SpankiMonki]

Quit Bitchin'

Re:

[sexconker]

FYI: Quim means vagina.

Mac OS based espionage malware

[khz6955]

'Security researchers have a uncovered a Mac OS based espionage malware they have named "Quimitchin." .. an IT admin noticed unusual traffic coming from a particular Mac, and has been seen infecting Macs at biomedical facilities.'

How exactly does the malware get onto the Mac without the end user downloading and installing the malware and providing it with the admin password?

Re:

[Anonymous Coward]

From TFA it apparently runs in userspace not as root

Re:

[khz6955]

"From TFA it apparently runs in userspace not as root"

How exactly does 'Quimitchin' execute in userspace without the end user downloading and installing the malware?

Re:Mac OS based espionage malware

[ahabswhale]

It doesn't. Someone has to authorize it with the admin password.

Re:

[Gadget_Guy]

It doesn't. Someone has to authorize it with the admin password.

Is this based on anything, or are you just guessing? If you read the comment section of the article someone asked how it spread, and "Does running as a standard user as opposed to an admin account prevent its installation?"

To which the malwarebytes.com blogger said:

We still don't know how it gets installed. All samples so far have been observed installed in user space, so running in a standard user account will not protect against this.

That seems to contradict what you have claimed.

Re:Mac OS based espionage malware

[tlambert]

It doesn't. Someone has to authorize it with the admin password.

Is this based on anything, or are you just guessing?

The article makes it clear that in order to extract and run the malware, you have to extract and install other malware named "Java".

This "Java" is apparently malware developed by a large database company in order to install security holes in otherwise secure computers, and is so named to trick tired programmers into believing that they are installing coffee.

Re:

[Gadget_Guy]

The article makes it clear that in order to extract and run the malware, you have to extract and install other malware named "Java".

So the article is correct; the malware doesn't have to be authorised with the admin password. The fact that it requires Java just means that it only works on machines with Java installed. Given that it seems to be targeted to a specific industry then it's not an unusual requirement as they are probably using some Java controller software.

You also need to have a Mac for it to run, but that doesn't make people claim that you need to buy the malware from an Apple store.

Re:Mac OS based espionage malware

[TheRaven64]

It's also probably difficult to get a user to accidentally install it. Java used to be installed by default on MacOS X, then there was a thing where, on first use, it would prompt the user and ask them if they wanted it. Now there's a thing saying 'you need Java to do this, go to this web page and download and install it, then try again'. Most casual users will say 'that looks hard, I can't be bothered'.

Re:

[ruir]

Some other users, may say, fuck it, I am not installing that POS in my notebook.

Re:

[raind]

Of course end users will do this; whether Windows or Mac.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[evilsofa]

What I want to know is why Malwarebytes does NOT remove Windows 10, the worst malware ever to infest any computer!!!!

How did you manage to get your Mac infested with Windows 10?

Re:

[AHuxley]

Has the espionage related server been found? Has some sample of what the malware was interesting in been discovered?
"Biomedical facilities" could just be where larger groups of networked Macs exist in the wild due to their hardware/software use in the biomedical field over the years.

antique system calls

[phantomfive]

This 'security researcher' may be surprised to find that most of the software he uses on a Mac calls some 'antique system calls' that existed before OSX.

Re:antique system calls

[mmell]

Correct me if I'm wrong - aren't most system calls antique, in the sense that they weren't invented recently? The aforementioned system calls may or may not have recently been updated, but if developers have done their job correctly the intended functions continue to work exactly as they did before, given valid inputs. As an example, I'm pretty sure gethostbyname() is still in there. It's almost certainly been updated over the years, but it's still called the same way and returns the same thing.

Re:

[phantomfive]

Yeah, most of them were in the Mach kernel (Apple still uses header copyright from CMU in the 90s, even in iOS), and if you're willing to just go by function definitions, not the exact same code, then some of the system calls date back to the 70s.

so old!

[Gravis Zero]

Somewhat surprisingly the code uses antique system calls. 'These are some truly ancient functions, as far as the tech world is concerned, dating back to pre-OS X days,'

Kinda sounds like it's using POSIX functions which would be a smart move because they will not be removed in favor of a new API and it makes porting to other platforms easier since most everything is at least partly compliant to POSIX. Perl and Java were good choice since they are on all Apple machines and are resistant to library compatibility issues. This seems like it's a nation-state attack.

Re:

[Billly Gates]

Java on OSX resistant to library compatibility issues?? Are you kidding me?

Re:

[93 Escort Wagon]

Perl and Java were good choice since they are on all Apple machines and are resistant to library compatibility issues.

Java hasn't been part of the default Mac system install for quite a few years.

If you run a program which requires Java, you'll see a pop up telling you Java isn't installed and asking if you want to download the legacy Java runtime. If you say "yes", you'll be directed to an Apple web page where you can download it.

Re:

[TheFakeTimCook]

Perl and Java were good choice since they are on all Apple machines and are resistant to library compatibility issues.

Java hasn't been part of the default Mac system install for quite a few years.

If you run a program which requires Java, you'll see a pop up telling you Java isn't installed and asking if you want to download the legacy Java runtime. If you say "yes", you'll be directed to an Apple web page where you can download it.

And wasn't the possibility of stuff like this partly why Apple deprecated Java in XCode?

Re:

[phantomfive]

That has nothing to do with Java the language. It has to do with some libraries owned by Oracle.

Re:

[phantomfive]

1. Do you have to go out of your way and invest significant time and effort to avoid the use of these Oracle-owned libraries when you want to develop software in Java?

No, you have to go out of your way to use them.

2. Are you able to write good software without the Oracle-owned libraries? (good = robust, efficient, secure, ...)

Yes, assuming you are able to write good software at all. That is on you.

Re:

[phantomfive]

Why do the Oracle-owned libraries exist if they are adding zero value?

The same question could be asked of almost everything Oracle produces, including Oracle DB. Corporate customers with too much cash, who trust Oracle. Fortune 500 companies value stability and accountability over a few million here and there, and Oracle provides that.

You can see some of their corporate offerings here, it's #3 and #4 [oracle.com]. #4 is especially instructive, because if you are willing to compile OpenJDK for your device, you don't have to pay anything (which is what Google does now). But some managers

Re:

[TheRaven64]

1. Do you have to go out of your way and invest significant time and effort to avoid the use of these Oracle-owned libraries when you want to develop software in Java?

I'm quite happy to go out of my way to not add an extra 'use expensive commercial features' flag when I invoke the JVM.

2. Are you able to write good software without the Oracle-owned libraries? (good = robust, efficient, secure, ...)

I'd first like to see an existence proof that robust, efficient, and secure software exists, but assuming that axiom, any Java program that works with OpenJDK (i.e. the reference Java implementation) will work without any Oracle-specific things.

Obfuscated perl script

[Anonymous Coward]

Brought to you by the department of redundancy department.

Re:

[phantomfive]

Yes, OSX has an executable /tmp by default.
I just checked.

IMPOSSIBLE

[Billly Gates]

MacOSX ... and now a varient on Linux?!@ Complete absurd.

Only WIndows sucks and gets viruses and malware because it is not bless by RMS nor open sourced. You can run things under root for all your mission critical needs with no firewall at all for Apple products and be perfectly safe. Just ask any Apple fanboy and they will tell you or go on slashdot and ask anyone about security on Linux. It is impossible to get malware.

THe author MOST WORK FOR MICROSOFT

Re: IMPOSSIBLE

[mmell]

If the author worked for Microsoft, the exploit would require frequent updates, half of which would break it.

Re:

[sheramil]

If the author worked for Microsoft, the exploit would require you to install Windows 10.

Re: IMPOSSIBLE

[dilvish_the_damned]

And would certainly ask "Are you really, really sure you want to infect this machine?"

Re: IMPOSSIBLE

[mmell]

"Hi, I'm Clippy. It looks like your infecting an Apple product. Can I help?"

M$ fanboi has got mod points.

[mmell]

Notice that this entire thread has been downmodded.

That's okay - I've got karma to burn, and if M$ shills choose to employ Trumpian tactics, well . . . they should go after someone with serious complaints instead of a bunch of comedians like us. Now I know how Alec Baldwin and the cast of SNL feel. It's good to know that we engendered such a response in one of Redmond's minions. Next, we'll be hearing how this could be fixed by not relying on name services for host resolution - after all there's got to

Yawn, I should be a security researcher

[guruevi]

There have been a string of 'security researchers' being featured here on /. lately that are simply trying to get some limelight just by claiming the perpetrator being the boogeyman-du-jour, actually the same 'security researcher' wrote about a variation of this a few months ago: https://blog.malwarebytes.com/... [malwarebytes.com]
- You need to download it
- You need to run it (with various warnings being thrown up)
- You need to install Java for it to run (which does not come standard on a Mac, requires a significant download

Re:Yawn, I should be a security researcher

[Gadget_Guy]

Are you seriously trying to claim that he is some sort of alarmist? From the link that you provided, it concludes:

Adwind is, overall, a fairly weak effort on the Mac.

And where did the blogger claim the perpetrator of this malware was the boogeyman-du-jour? All I could find was things like:

Although there is no evidence at this point linking this malware to a specific group, the fact that it's been seen specifically at biomedical research institutions certainly seems like it could be the result of exactly that kind of espionage.

This could also signify that the hackers behind it really don't know the Mac very well and were relying on old documentation.

That doesn't paint the picture of an uber-hacker! At no point was it claimed that this was going to affect us all. In fact, it was said that this has already been fixed by Apple:

Apple calls this malware Fruitfly and has released an update that will be automatically downloaded behind the scenes to protect against future infections.

If he is trying to "get some limelight" then aren't you also doing the same thing by posting here? Just talking about something is not the same as getting some limelight. This was just another post about the latest malware to be investigated by them. At no point was it hyped as anything new. It discussed the parts of the malware that seemed to be ancient code, as well as the parts that were new. However, I will admit that the headline of "the first Mac malware of 2017" is pretty inflammatory considering that it seems to have been deployed for a while. I think it would have been better said as the first malware of 2017 that he had looked at.

Re:

[guruevi]

This quote from the article:
There have been a number of stories over the past few years about Chinese and Russian hackers targeting and stealing US and European scientific research. Although there is no evidence at this point linking this malware to a specific group, the fact that it's been seen specifically at biomedical research institutions certainly seems like it could be the result of exactly that kind of espionage.

seems pretty alarmist to me.

Re:

[Gadget_Guy]

Why? In what way does it seem implausible? If this malware has only been seen at a certain type of place, what other conclusion is more likely to you? That it is all some giant coincidence and that we should pay no attention to where it was found?

Surely the alarmist thing would be to say that everybody is likely to be attacked by this malware. Or maybe that it was a terrorist plot to release some biological agent into the atmosphere by remote control. But no, it just says that it is probably just everyday i

Re:

[Osiris Ani]

So can the security researcher do the planet some good by providing a simple Java app which would clean everything or do we really need to buy Malwarebytes to fix this?

RTFM helps. “Apple calls it 'Fruitfly', and has already released an update that will be automatically downloaded behind the scenes to protect against future infections.”

Re:

[Osiris Ani]

RTFA. Bah.