www.malwarebytes.com
Open in
urlscan Pro
192.0.66.233
Public Scan
Submitted URL: http://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/
Effective URL: https://www.malwarebytes.com/blog/news/2017/01/new-mac-backdoor-using-antiquated-code
Submission: On October 16 via manual from IN — Scanned from DE
Effective URL: https://www.malwarebytes.com/blog/news/2017/01/new-mac-backdoor-using-antiquated-code
Submission: On October 16 via manual from IN — Scanned from DE
Form analysis 4 forms found in the DOM
GET https://www.malwarebytes.com/
<form role="search" method="get" class="search-form" action="https://www.malwarebytes.com/">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Type to search..." value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form>GET https://www.malwarebytes.com/
<form role="search" method="get" class="search-form" action="https://www.malwarebytes.com/">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Type to search..." value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form>GET https://www.malwarebytes.com/blog/
<form role="search" method="get" class="search-form" action="https://www.malwarebytes.com/blog/">
<div class="labs-sub-nav__searchbar-wrap">
<input class="labs-sub-nav__search-input" type="text" name="s" placeholder="Search Labs">
<button class="labs-sub-nav__search-button" id="cta-labs-rightrail-search-submit-en" aria-label="Search in Malwarebytes">
<svg xmlns="http://www.w3.org/2000/svg" width="35px" height="35px" viewBox="0 0 24 24" fill="none">
<g clip-path="url(#clip0_15_152)">
<rect width="24" height="24" fill="none"></rect>
<circle cx="10.5" cy="10.5" r="6.5" stroke="#0d3ecc" stroke-linejoin="round"></circle>
<path d="M19.6464 20.3536C19.8417 20.5488 20.1583 20.5488 20.3536 20.3536C20.5488 20.1583 20.5488 19.8417 20.3536 19.6464L19.6464 20.3536ZM20.3536 19.6464L15.3536 14.6464L14.6464 15.3536L19.6464 20.3536L20.3536 19.6464Z" fill="#0d3ecc">
</path>
</g>
<defs>
<clipPath id="clip0_15_152">
<rect width="24" height="24" fill="#0d3ecc"></rect>
</clipPath>
</defs>
</svg>
</button>
</div>
</form>https://www.malwarebytes.com/newsletter/
<form action="https://www.malwarebytes.com/newsletter/" class="newsletter-form">
<div class="newsletter-form__inline">
<label>Email Address</label>
<input type="email" name="email" id="cta-footer-newsletter-input-email-en" placeholder="Email Address" required="" class="newsletter-form__email">
<input type="hidden" class="newsletter-form__pageurl" value="https://www.malwarebytes.com/blog/news/2017/01/new-mac-backdoor-using-antiquated-code">
<input name="source" type="hidden" value="">
<input type="submit" value="Sign Up" class="newsletter-form__btn" id="cta-footer-newsletter-subscribe-email-en">
</div>
<div class="newsletter-form__validate hidden">
<span></span>
</div>
</form>Text Content
Skip to content
Search
Search Malwarebytes.com
Search for:
* Sign In
* Personal
< Personal
Products
* Malwarebytes Premium Security >
* Malwarebytes Privacy VPN >
* Malwarebytes Identity Theft Protection >
* Personal Data Remover >
* Malwarebytes Browser Guard >
* Malwarebytes for Teams/small offices >
* AdwCleaner for Windows >
--------------------------------------------------------------------------------
Find the right product
See our plans
Infected already?
Clean your device now
Solutions
* Free antivirus >
* Free virus scan & removal >
* Windows antivirus >
* Mac antivirus >
* Android antivirus >
* iOS security >
* Digital Footprint Scan >
See personal pricing
Manage your subscription
Visit our support page
* Business
< Business
BUNDLES
* ThreatDown Bundles
* Protect your endpoints with powerfully simple and cost-effective bundles
* Education Bundles
* Secure your students and institution against cyberattacks
TECHNOLOGY HIGHLIGHTS
* Managed Detection & Response (MDR)
* Deploy fully-managed threat monitoring, investigation, and remediation
* Endpoint Detection & Response (EDR)
* Prevent more attacks with security that catches what others miss
* Explore our portfolio >
Visualize and optimize your security posture in just minutes.
Learn more about Security Advisor (available in every bundle). >
* Pricing
< Pricing
Personal pricing
Protect your personal devices and data
Small office/home office pricing
Protect your team’s devices and data
Business pricing (5+ employees)
Step up your corporate endpoint security. Save up to 45%
* Partners
< Partners
Explore Partnerships
Partner Solutions
* Resellers
* Managed Service Providers
* Computer Repair
* Technology Partners
* Affiliate Partners
Contact Us
* Resources
< Resources
* Security terms glossary >
* Threat Center >
* Cybersecurity News >
* About Malwarebytes >
* Press >
* Careers >
Cybersecurity Resource Center
* Antivirus >
* Malware >
* Ransomware >
* Phishing >
* See all articles >
* Support
< Support
Malwarebytes Personal Support
Malwarebytes and Teams Customers
ThreatDown Business Support
Nebula and Oneview Customers
Community Forums
Free Download
* Sign In
Search Search
Search Malwarebytes.com
Search for:
SUBSCRIBE rss
Apple | News | Threats
NEW MAC BACKDOOR USING ANTIQUATED CODE
Posted: January 18, 2017 by Thomas Reed
The first Mac malware of 2017 was brought to my attention by an IT admin, who
spotted some strange outgoing network traffic from a particular Mac. This led to
the discovery of a piece of malware unlike anything I’ve seen before, which
appears to have actually been in existence, undetected, for some time, and which
seems to be targeting biomedical research centers.
The malware was extremely simplistic on the surface, consisting of only two
files:
~/.client SHA256: ce07d208a2d89b4e0134f5282d9df580960d5c81412965a6d1a0786b27e7f044 ~/Library/LaunchAgents/com.client.client.plist SHA256: 83b712ec6b0b2d093d75c4553c66b95a3d1a1ca43e01c5e47aae49effce31ee3
The launch agent .plist file itself couldn’t have been much simpler, simply
keeping the .client running at all times.
KeepAlive Label com.client.client ProgramArguments /Users/xxxx/.client RunAtLoad NSUIElement 1
The .client file was where things got really interesting. It took the form of a
minified and obfuscated perl script.
The perl script, among other things, communicates with the following command and
control (C&C) servers:
99.153.29.240 eidk.hopto.org
The latter is a domain name managed by the dynamic DNS service no-ip.com.
The script also includes some code for taking screen captures via shell
commands. Interestingly, it has code to do this both using the Mac
“screencapture” command and the Linux “xwd” command. It also has code to get the
system’s uptime, using the Mac “uptime” command or the Linux “cat /proc/uptime”
command.
The most interesting part of the script can the found in the __DATA__ section at
the end. Found there are a Mach-O binary, a second perl script and a Java class,
which the script extracts, writes to the /tmp/ folder and executes. In the case
of the Java class file, it is run with apple.awt.UIElement set to true, which
means that it does not show up in the Dock.
The binary itself seems primarily interested in screen captures and webcam
access, but interestingly, it uses some truly antique system calls for those
purposes, such as:
SGGetChannelDeviceList SGSetChannelDevice SGSetChannelDeviceInput SGInitialize SGSetDataRef SGNewChannel QTNewGWorld SGSetGWorld SGSetChannelBounds SGSetChannelUsage SGSetDataProc SGStartRecord SGGetChannelSampleDescription
These are some truly ancient functions, as far as the tech world is concerned,
dating back to pre-OS X days. In addition, the binary also includes the open
source libjpeg code, which was last updated in 1998.
The Java class appears to be capable of receiving commands to do various tasks,
which include yet another method of capturing the screen, getting the screen
size and mouse cursor position, changing the mouse position, simulating mouse
clicks, and simulating key presses. This component appears to be intended to
provide a kind of rudimentary remote control functionality.
We also observed the malware downloading a perl script, named “macsvc”, from the
C&C server. This script uses mDNS to build a map of all the other devices on the
local network, giving information about each device including its IPv6 and IPv4
addresses, name on the network and the port that is in use. It also appears to
be making connection attempts to devices it finds on the network.
macsvc SHA256: b556c04c768d57af104716386fe4f23b01aa9d707cbc60385895e2b4fc08c9b0
Another file downloaded from the C&C server was named “afpscan”, and it seems to
try to connect to other devices on the network.
afpscan SHA256: bbbf73741078d1e74ab7281189b13f13b50308cf03d3df34bc9f6a90065a4a55
The presence of Linux shell commands in the original script led us to try
running this malware on a Linux machine, where we found that – with the
exception of the Mach-O binary – everything ran just fine. This suggests that
there may be a variant of this malware that is expressly designed to run on
Linux, perhaps even with a Linux executable in place of the Mach-O executable.
However, we have not found such a sample.
We were able to locate a couple Windows executable files on VirusTotal that
communicate with the same C&C server. In addition, one contains strings that
indicate that it uses the same libjpeg library from 1998 as the Mac Mach-O
binary. Each of these samples were only ever submitted to VirusTotal once, in
June and July of 2013, and are only detected by a few engines under generic
names.
SHA256: 94cc470c0fdd60570e58682aa7619d665eb710e3407d1f9685b7b00bf26f9647 SHA256: 694b15d69264062e82d43e8ddb4a5efe4435574f8d91e29523c4298894b70c26
There are other indications that this malware has been circulating undetected
for a long time. On one of the infected Macs, the launch agent file had a
creation date in January of 2015. That’s not strong evidence of the true
creation date, though, as those dates can easily be changed.
Further, there is a comment in the code in the macsvc file that indicates that a
change was made for Yosemite (Mac OS X 10.10), which was released in October of
2014. This suggests that the malware has been around at least some time prior to
Yosemite’s release.
if(/_(tcp|udp)S*s+(_S+)$/){ $s="$2._$1"; } elsif(/icloud.com.s+(_[^.]+._(tcp|udp)).d+.members.btmm$/) { $s=$1; } # changed in yosemite elsif(/icloud.com.s+.s+_autotunnel6$/){ next; }
Another clue, of course, is the age of some of the code, which could potentially
suggest that this malware goes back decades. However, we shouldn’t take the age
of the code as too strong an indication of the age of the malware. This could
also signify that the hackers behind it really don’t know the Mac very well and
were relying on old documentation. It could also be that they’re using old
system calls to avoid triggering any kind of behavioral detections that might be
expecting more recent code.
Ironically, despite the age and sophistication of this malware, it uses the same
old unsophisticated technique for persistence that so many other pieces of Mac
malware do: a hidden file and a launch agent. This makes it easy to spot, given
any reason to look at the infected machine closely (such as unusual network
traffic). It also makes it easy to detect and easy to remove.
The only reason I can think of that this malware hasn’t been spotted before now
is that it is being used in very tightly targeted attacks, limiting its
exposure. There have been a number of stories over the past few years about
Chinese and Russian hackers targeting and stealing US and European scientific
research. Although there is no evidence at this point linking this malware to a
specific group, the fact that it’s been seen specifically at biomedical research
institutions certainly seems like it could be the result of exactly that kind of
espionage.
Malwarebytes will detect this malware as OSX.Backdoor.Quimitchin. (Why the name?
Because the quimitchin were Aztec spies who would infiltrate other tribes. Given
the “ancient” code, we thought the name fitting.) Apple calls this malware
Fruitfly and has released an update that will be automatically downloaded behind
the scenes to protect against future infections.
SHARE THIS ARTICLE
RELATED ARTICLES
Exploits and vulnerabilities | News
TOR BROWSER AND FIREFOX USERS SHOULD UPDATE TO FIX ACTIVELY EXPLOITED
VULNERABILITY
October 16, 2024 - Mozilla warns that a vulnerability in Firefox and Tor Browser
is actively being exploited against both browsers
CONTINUE READING 0 Comments
News | Scams
AI SCAMMERS TARGET GMAIL ACCOUNTS, SAY THEY HAVE YOUR DEATH CERTIFICATE
October 15, 2024 - Typical AI supported scams are after your Google account by
pretending to follow up on account recovery requests
CONTINUE READING 1 Comment
Personal | Privacy
ELECTION SEASON RAISES FEARS FOR NEARLY A THIRD OF PEOPLE WHO WORRY THEIR VOTE
COULD BE LEAKED
October 15, 2024 - The US presidential election is stirring fears amongst a
third of people who worry that their vote could be exposed to outsiders.
CONTINUE READING 0 Comments
Exploits and vulnerabilities | News
ROBOT VACUUM CLEANERS HACKED TO SPY ON, INSULT OWNERS
October 14, 2024 - Multiple Ecovacs robot vacuum cleaners have been hacked to
yell obscenities and insults through the onboard speakers.
CONTINUE READING 4 Comments
News
A WEEK IN SECURITY (OCTOBER 7 – OCTOBER 13)
October 14, 2024 - A list of topics we covered in the week of October 7 to
October 13 of 2024
CONTINUE READING 0 Comments
ABOUT THE AUTHOR
Thomas Reed
Director of Mac & Mobile
Had a Mac before it was cool to have Macs. Self-trained Apple security expert.
Amateur photographer.
Contributors
Threat Center
Podcast
Glossary
Scams
Cyberprotection for every one.
FOR PERSONAL
* Windows Antivirus
* Mac Antivirus
* Android Antivirus
* Free Antivirus
* VPN App (All Devices)
* Malwarebytes for iOS
* SEE ALL
COMPANY
* About Us
* Contact Us
* Careers
* News and Press
* Blog
* Scholarship
* Forums
* Vulnerability Disclosure
FOR BUSINESS
* Small Businesses
* Mid-size Businesses
* Larger Enterprise
* Endpoint Protection
* Endpoint Detection & Response (EDR)
* Managed Detection & Response (MDR)
FOR PARTNERS
* Managed Service Provider (MSP) Program
* Resellers
MY ACCOUNT
Sign In
SOLUTIONS
* Digital Footprint Scan
* Rootkit Scanner
* Trojan Scanner
* Virus Scanner
* Spyware Scanner
* Password Generator
* Anti Ransomware Protection
ADDRESS
One Albert Quay
2nd Floor
Cork T12 X8N6
Ireland
3979 Freedom Circle
12th Floor
Santa Clara, CA 95054
LEARN
* Malware
* Hacking
* Phishing
* Ransomware
* Computer Virus
* Antivirus
* What is VPN?
* Twitter
* Facebook
* LinkedIn
* Youtube
* Instagram
CYBERSECURITY INFO YOU CAN’T LIVE WITHOUT
Want to stay informed on the latest news in cybersecurity? Sign up for our
newsletter and learn how to protect your computer from threats.
Email Address
* Legal
* Privacy
* Terms of Service
* Accessibility
* Imprint
© 2024 All Rights Reserved
This site uses cookies in order to enhance site navigation, analyze site usage
and marketing efforts. Please see our privacy policy for more information.
Privacy Policy
Cookies Settings Decline All Accept All Cookies
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
Privacy Policy
Allow All
MANAGE CONSENT PREFERENCES
STRICTLY NECESSARY
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.
Cookies Details
PERFORMANCE AND FUNCTIONALITY
Performance and Functionality
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then
some or all of these services may not function properly.
Cookies Details
ANALYTICS
Analytics
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
Cookies Details
ADVERTISING
Advertising
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Cookies Details
Back Button
COOKIE LIST
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Decline All Confirm My Choices