'Fruitfly' malware patched by Apple relies on 'ancient' Mac system calls
Newly-patched Mac malware relies on some antiquated code predating the OS X era, but has been used in some previous real-world attacks on biomedical research groups, according to a prominent security software maker.
The malware communicates with two command-and-control servers, and can perform actions like typing, webcam and screen captures, and moving and clicking a mouse cursor, Malwarebytes said in a blog post on Wednesday. It also maps other devices on a network and tries to connect to them.
Unusually the malware is said to rely on pre-OS X system calls, and even open-source "libjpeg" code not updated since 1998. Much of the software is said to be Linux-compatible, possibly suggesting the existence of a native variant. Related Windows executables are said to exist, but date back to at least 2013.
The Mac malware may also have been in circulation for a long time, given some associated timestamps. A comment in a one file makes reference to a change for OS X Yosemite, which Apple released in 2014.
Malwarebytes didn't elaborate on the alleged biomedical attacks, except to say there's no evidence linking them to a specific group. Chinese and Russian hackers have, however, been known to steal American and European scientific data.
The company noted that Apple has already released a silent update for macOS, dubbing the malware "Fruitfly." Malwarebytes' own app identifies the code as "OSX.Backdoor.Quimitchin," making a reference to ancient Aztec spies.
Serious malware threats are a relatively rare phenomenon on the Mac, both because macOS remains a minority platform -- hence a smaller target -- and because Apple has stepped up its own security efforts in recent years. Recently it instituted a bug bounty program, matching similar efforts at companies like Google, making it potentially lucrative to defend rather than attack Apple platforms.
The malware communicates with two command-and-control servers, and can perform actions like typing, webcam and screen captures, and moving and clicking a mouse cursor, Malwarebytes said in a blog post on Wednesday. It also maps other devices on a network and tries to connect to them.
Unusually the malware is said to rely on pre-OS X system calls, and even open-source "libjpeg" code not updated since 1998. Much of the software is said to be Linux-compatible, possibly suggesting the existence of a native variant. Related Windows executables are said to exist, but date back to at least 2013.
The Mac malware may also have been in circulation for a long time, given some associated timestamps. A comment in a one file makes reference to a change for OS X Yosemite, which Apple released in 2014.
Malwarebytes didn't elaborate on the alleged biomedical attacks, except to say there's no evidence linking them to a specific group. Chinese and Russian hackers have, however, been known to steal American and European scientific data.
The company noted that Apple has already released a silent update for macOS, dubbing the malware "Fruitfly." Malwarebytes' own app identifies the code as "OSX.Backdoor.Quimitchin," making a reference to ancient Aztec spies.
Serious malware threats are a relatively rare phenomenon on the Mac, both because macOS remains a minority platform -- hence a smaller target -- and because Apple has stepped up its own security efforts in recent years. Recently it instituted a bug bounty program, matching similar efforts at companies like Google, making it potentially lucrative to defend rather than attack Apple platforms.
Comments
"Serious malware threats are a relatively rare phenomenon on the Mac, both because macOS remains a minority platform —hence a smaller target —and because Apple has stepped up its own security efforts in recent years."
Right, because until "recent years" malware was such a rampant problems with Macs. I don't know how I would have explained the almost complete absence of any meaningful Mac malware since the dawn of OS X, but that explanation is a poor one.
Another way to look at it.
A Hacker could work really hard to find the one hole to crawl through, or you go after the soft target with lots of holes with any number of them could be far more profitable at a lower rick. It would be like going after Fort Knox, you know there is a big reward there and you know it has tough security and if you get in it will not go unnoticed. Or your other option is to focus on all the little savings and loans around the country which you know have flawed security and most likely will not see you coming and if you do break in they my not notice for a long while so you can keep coming back for more.
I personally think Hackers are lazy and look for the easy soft target. Hacking use to be a honorable activities where the best of the best try to go after the hardest or most interesting targets and when they successful they showed their friend how good they were.
In this day and age where EVERYTHING is being hacked -- from webcams to DVR's to "smart" TV's -- to think that Macs are not being targeted is naive.
In my job, I see a LOT of Macs, both business and personal (and a lot of Windows-based machines as well). And I can personally attest that malware on Mac is live and well. Granted, we're lucky that it's nothing compared to what we see on Windows, but it's there nonetheless. Most of the unwanted software is your garden-variety stuff, like a rogue browser plugin that pops ads and generally tracks the user. But fairly regularly, I do see more sinister malware. (Fortunately, unlike Windows, it's fairly easy to eradicate).
If you read Apple's release notes, you'll see that there is a long list of security fixes incorporated into every OS update released.
I recommend users periodically run EtreCheck (which checks for known malware) and Malwarebytes for Mac. Both programs are free.