Security researchers from Malwarebytes have identified strange traffic originating from a Mac. The unusual traffic was identified by IT admins when investigated led to espionage malware describes as Quimitchin. (Apple calls this as ‘Fruitfly’) The malware appears to have been existed for a while and undetected for quite a long time. One of the timestamp was dated back to Jan 2015, however there are lot of unknowns about its origin at this time.
The purpose of this malware appears to be performing screen captures & webcam access which is a characteristic of most espionage tools. As per investigation, this tool has been targeting primarily scientific research hence it’s unsure who is behind this espionage malware.
The Mac malware primarily has two files, .client & .plist files.
- .plist files keeps .client running all times
- .client has the actual payload which is minified& obfuscated perl scipt. The perl script communicates with CnC servers.
The script primarily takes screenshots via shell commands. It has code to the same operation using Mac screen capture command & Linux ‘xwd’ command. It can even get system uptime information using the Mac ‘uptime’ command and Linux “cat/proc/uptime” command.
“The most interesting part of the script can the found in the __DATA__ section at the end. Found there are a Mach-O binary, a second perl script and a Java class, which the script extracts, writes to the /tmp/ folder and executes. In the case of the Java class file, it is run with apple.awt.UIElement set to true, which means that it does not show up in the Dock.” – Malware bytes explained.
“These are some truly ancient functions, as far as the tech world is concerned, dating back to pre-OS X days,” he wrote in the blog post. “In addition, the binary also includes the open source libjpeg code, which was last updated in 1998.” List below
(Quimitchin – were Aztec spies who would infiltrate other tribes. Given the “ancient” code, we thought the name fitting.)
Detailed technical details is available at Malwarebytes
Apple has released an update for Quimitchin malware that will be downloaded automatically and installed to protect against such infections.
It was long due before Facebook made its move to share data between Whatsup app and Facebook after the acquisition. Facebook is known to invade its users privacy with a claim of openness by its CEO Mark Zuckerburg and it did it again last week to monetize as much as possible with a decision to […] Continue reading →
The most admired and well known hacker convention “HOPE” which takes place every two years in the heart of New York City attracted some of the greatest security experts from various disciplines. Hope – 2016 (The Eleventh HOPE) had some of the great speakers from various areas of security and tons of hacker talks about how […] Continue reading →
The Lithuanian 000Webhost is one of the most popular free webhosting services and has over 13.5 million users. It ranks among the top search results in Google and is quite popular for its services. However, according to a report from Forbes, the login credentials of these users, that includes their usernames, passwords, email addresses, last […] Continue reading →
Two new malwares that affect point of sale (PoS) machines have been detected by the researchers at Trend Micro. The malware have been affecting small and medium sized businesses or SMBs, primarily in the United States. These two malwares have been named Katrina and CenterPoS by their developers. Trend Micro researchers had earlier reported PoS […] Continue reading →
Researchers from University of California, San Diego have demonstrated to hack Corvette by sending specially crafted SMS messages to a tracking dongle plugged to the car’s OBD-II (On-Board Diagnostics port). In a youtube video ( below) demonstrating the exploit, the researchers operated the windshield wipers, applied and deactivated the brakes at lower speeds. ( Dongle is a […] Continue reading →
Author : Arun Hegde , Security Architect @arun25 Here is a quick summary about my experience at RSA Conference 2014 – San Francisco last month Highlights of RSA 2014 : Some of the highlights at this year at RSA was cloud security, mobile security ( specially for enterprise), more companies providing SIEM solutions and lot of new […] Continue reading →
“Although EC-Council has been respected by corporations and governments, many in the in the security community don’t agree the way they certify and considered it as useless certification ” Analysts predict that Passports of more than 60,000 US military and government IT professionals at risk Hacker went by the name of Eugene Belford, claims to […] Continue reading →
Researchers from Kaspersky have spotted Tor-based Andorid Malware in the wild. Hackers have started creating Android based Trojans in mass scale. A new mrthod of Windows Trojan malware is implemented under Android has been spreading lately. The Android based Trojan, who as a C & C uses the domain of pseudo-zone- Onion. The Trojan uses the anonymous […] Continue reading →
Its almost sounded unbelievable when Kaspersky research published a cyber espionage APT campaign MASK (Careto) that’s been running in the wild since 2007, undetected, targeting 31 countries. The complexity of the tools used for MAST by the attackers are very sophisticated which makes its very special. This includes an extremely sophisticated piece of malware, a […] Continue reading →