Quimitchin : The first Mac Malware of 2017

Malwarebytes, the Anti-Malware for Mac editor, has announced they have discovered the first Mac malware of the year 2017 : Quimitchin was named after Aztec spies who infiltrated other tribes.

Free anti malware and adware for Mac

Free anti malware and adware for Mac

An IT admin noticed unusual traffic coming from a particular Mac belonging to biomedical researchers… The Malware was taking screenshots, sending them out, and attempting to access the webcam.

Thomas Reed, director of Mac offerings at Malwarebytes, said :

“It seems that this malware is trying to ex-filtrate data from anything it can access. Since this has been seen infecting Macs at biomedical facilities, we believe it’s being used for espionage to steal scientific data. — but we don’t know at this point who might be behind the malware.”

But the way it was coded is the most interesting thing…

Indeed, the code uses antique system calls which was last updated in 1998.

Only two files composed Quimitchin code:

  1. A .plist file that simply keeps the .client running at all times.

  2. A .client file containing the malicious payload, a minified and obfuscated Perl script.

Thomas Reed added , “a Mac binary, another perl script and a Java class tacked on at the end in the __DATA__ section of the main perl script. The script extracts these, writes them to /tmp/ and executes them.”

According to Security firm there is also a specific Linux variant, because they have found Linux shell commands in the code of the scripts.

In addition, they also found two Windows executable files that communicated with the same C&C server (command and control Server).

Finally, with this very specific way of operating, it allowed it to delay its discovery by modern detection systems. It has been in circulation for some time, probably since 2014. Quimitchin hasn’t been discovered earlier because it has been exploited only rarely, and in very specific cases.

Next article : How to get rid of Malware ?


Leave a Reply

Your email address will not be published. Required fields are marked *