Named Quimitchin by Malwarebytes and called Fruitfly by Apple, the ‘new’ back door may actually have been lurking in the background of macOS for years, taking advantage of vulnerabilities in code that hasn’t been updated since the late 1990s, according to the antivirus software publisher’s blog post.
A masterclass in simplicity, the malware contains just two files designed to open a backdoor into the Macs it infects, letting it receive instructions from the hacker’s computer, known in the cybersecurity world as a command and control server (C&C).
Thomas Reed from Malwarebytes said: “These are some truly ancient functions, as far as the tech world is concerned, dating back to pre-OS X days. In addition, the binary also includes the open source libjpeg code, which was last updated in 1998.
“However, we shouldn’t take the age of the code as too strong an indication of the age of the malware. This could also signify that the hackers behind it really don’t know the Mac very well and were relying on old documentation.
“It could also be that they’re using old system calls to avoid triggering any kind of behavioral detections that might be expecting more recent code.”
Thomas Reed goes on to say that ironically, despite the age and sophistication of this malware, it uses the same old unsophisticated technique for persistence that so many other pieces of Mac malware do: a hidden file and a launch agent. “This makes it easy to spot, given any reason to look at the infected machine closely (such as unusual network traffic). It also makes it easy to detect and easy to remove.”
The good news is that Apple has released an update that will be automatically downloaded behind the scenes to protect against future infections.
Also, as you might expect, Malwarebytes will detect Fruitfly, or Quimitchin (Why the name? Because the quimitchin were Aztec spies who would infiltrate other tribes. Given the “ancient” code, they thought the name rather fitting!).