Malwarebytes discovered a Mac malware threat dubbed Fruitfly that’s being used to target biomedical research facilities. Calling Fruitfly new, however, may not be correct because it looks like it’s been around since at least 2014, and it also relies on some system calls that predate OS X and macOS.
Fruitfly, or OSX.Backdoor.Quimitchin, grabs screenshots and system uptime from victim’s Macs and uploads them to a remote server, and tries to gain webcam access, too. The malware’s reliance on antiquated code likely played a role in how long it took to detect it.
“The first Mac malware of 2017 was brought to my attention by an IT admin, who spotted some strange outgoing network traffic from a particular Mac,” said Thomas Reed from Malwarebytes. “This led to the discovery of a piece of malware unlike anything I’ve seen before, which appears to have actually been in existence, undetected, for some time, and which seems to be targeting biomedical research centers.”
He said they estimated the malware’s long life based on file time stamps from 2015—something he notes can be faked—and notes in the code indicating it was updated for OS X Yosemite, which was released in 2014.
Another clue, of course, is the age of some of the code, which could potentially suggest that this malware goes back decades. However, we shouldn’t take the age of the code as too strong an indication of the age of the malware.
It’s possible the hackers were using old system calls to obfuscate their attacks, or that they weren’t familiar enough with the Mac to realize newer calls were available.
Exactly who is using Fruitfly isn’t clear, or how they’re getting the code onto victim’s computers. Considering Russian and Chinese hacker interest in U.S. and European biomedical research it’s easy to assume they’re involved, although there isn’t any evidence to back that up right now.
Apple is aware of Fruitfly and already has a Gatekeeper update it’s pushing out to help protect Mac users. The update pushes out to users automatically when they have an internet connection, so there isn’t any need to check the App Store app for system updates.