Security software development firm Malwarebytes has just exposed what could be the first known case of Mac malware for the year of 2017.
It appears to be a highly antiquated piece of malware. In other words, it’s not super advanced and it’s using methods to infect machines that are so well-known that only a small number of unsuspecting users would even fall victim to it.
According to the report from Malwarebytes, this malware relies on two things: a hidden file and the user’s action to prompt the file. This can be achieved with a user interface that looks legit and then forces the launch of the malware rather than what the user was expecting to launch.
This malware seems to be targeting biomedical research institutions moreso than anyone else, so it’s not really intended to harm the general populous. Nevertheless, it opens a backdoor and allows anyone who’s listening in grab basic information, such as screen captures, system up-time data, mouse cursor position, and more; a serious security breach.
This information is then inconspicuously passed along to the listener via a third-party server, so it requires an internet connection. To help keep it from being noticed, a special boolean variable inside the code keeps the malware app from being spotted in the Dock.
Also noteworthy is how this malware has code for simulating mouse cursor movements and clicks, as well as keyboard key presses, both of which appear to be means of remote control whenever the listener wants to have more access. Perhaps with a little help from the up-time schedule, the listener will know when people are away and can do malicious things when the time is right.
The code reportedly worked just fine on Linux-based machines, as well as that of Macs running Apple’s macOS, so it appears to be viable on two different platforms.
Interestingly, Malwarebytes points out that because the malware uses such an antiquated method of attack, it would be easy to spot and remove via a trained eye or with malware removal programs. That said, it’s infecting machines that clearly don’t get a lot of anti-malware treatment – so perhaps they should start.
The experts who conducted the reverse engineering of the malware found comment files that suggest this malware has been in effect for quite some time; at least since OS X Yosemite (launched in 2014). The reason this malware may have gone unnoticed for so long was because it targeted a very small sample of machines. Had it have been present on more machines, it may have been noticed and reported much faster.
It’s very unlikely that your Mac at home has been infected with this malware, which is being dubbed OSX.Backdoor.Quimitchin, named after the Aztec spies who were known for infiltrating other tribes for information. Nevertheless, that’s not to say that other rogue malware couldn’t infect your machine, so you should always be wary of what you download.