Pierluigi Paganini January 19, 2017

Researchers at Malwarebytes have discovered the first Mac malware of 2017, dubbed Quimitchin, that was used against  biomedical research institutions.

Security experts have spotted the first Mac malware of 2017, dubbed Quimitchin,  and it is considered a malicious code not particularly sophisticated and includes some antiquated code.

According to the researchers from Malwarebytes, the code has been in the wild for several years and was used in targeted attacks against biomedical research institutions.

The Quimitchin spyware was discovered by an IT admin who noticed an anomalous traffic from a certain Mac in his network.

The malicious code is composed of two only two files:

• A .plist file that simply keeps the .client running at all times.
• A .client file containing the malicious payload, a minified and obfuscated Perl script.

The main features implemented by the payload are the screen captures and webcam access.

“The script also includes some code for taking screen captures via shell commands. Interestingly, it has code to do this both using the Mac “screencapture” command and the Linux “xwd” command. It also has code to get the system’s uptime, using the Mac “uptime” command or the Linux “cat /proc/uptime” command.” reads the analysis published by MalwareBytes.

The ability of the malware to exfiltrate data from anything it can access, and the nature of the targets, biomedical facilities, suggest that threat actors behind the attacks were conducting a cyber espionage campaign.

The Quimitchin uses antique system calls, and the analysis of its code revealed the use of the open source libjpeg code, which was last updated in 1998.

“These are some truly ancient functions, as far as the tech world is concerned, dating back to pre-OS X days. In addition, the binary also includes the open source libjpeg code, which was last updated in 1998.” continues the analysis.

“The Java class appears to be capable of receiving commands to do various tasks, which include yet another method of capturing the screen, getting the screen size and mouse cursor position, changing the mouse position, simulating mouse clicks, and simulating key presses. This component appears to be intended to provide a kind of rudimentary remote control functionality.”

Experts from Malwarebytes suspect that there is also a specific Linux variant in the wild because they have found Linux shell commands in the code of the scripts.

The security firm also found two Windows executable file that communicated with the same C&C server, in one case the Windows code used the same libjpeg library.

Despite the Quimitchin is not so complex, it continues to properly work avoiding the detection, something similar to the EyePyramid code.

Why a code like Quimitchin wasn’t detected for so long time?

Expert believe that is was using in a limited number of targeted attack so he was not spotted before.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Quimitchin spyware, cyber espionage)