7:01 AM
The first Mac malware of 2017 has been detected and brings to question whether Macs still safe from bad guys or whether malware lurks there undetected.
Mac users usually feel safe when it comes to malicious software attacking their systems. Viruses, worms and other kinds of malware are relatively rare comparing with Microsoft Windows users. However, in the last couple of years, the situation has been changing and it seems that the attention of malware creators is turning towards Mac users.
Key Points
- The malicious code is extremely simple and consists only of two files.
- The code of malware seems truly ancient with calls dating to pre-OS X times and open source libraries, with the latest update being from the last century.
- Malware targets specific institutions – biomedical research centers. This points to the fact that it could be an attempt to steal research data or other kinds of espionage.
- Malware needs access to the webcam and to capture the screen, exfiltrating data from everything it can access.
Overview
There are few interesting things about Quimitchin, the name comes from the Aztec spies that infiltrated other tribes (That’s because the code of the malware itself is ancient or at least it seems so!) – first and foremost, it might have been running on specific systems undetected for years. Why was it undetected? Targeted attacks are much more difficult to detect because of their limited exposure and this is the case with Quimitchin, which is most likely espionage tool. The malware tries to access the webcam with primitive calls, dating back to pre-OS X times. It also tries to screen capture, has rudiments of a remote control function, with possibility to receive commands like change the position of mouse cursor or simulate mouse clicks.
It consists of two files – one for keeping the client alive and another Perl script – for communication with command and control servers, taking screenshots, accessing the webcam and other activities. It can also scan your network, build a map of all devices, try and connect to them or report IP addresses and other information.
What’s even more interesting, the malware code has Linux shell commands too. This might point that there is similar malware existing in Linux systems. Up to this date, the existence of such cannot be confirmed. However, communications with the same command and control center were reported a couple of times to Virus Total before.
No one knows how this piece of malware is installed, who created it and for how long it was stealing scientific research data and this mysterious twist is one of the reasons why Quimitchin is one of the most interesting pieces of malware early in 2017. Although who the creators are isn't clear, as researchers dig into it, time will reveal who was standing behind the curtain.
Relevance to your security
This malware can infect your Mac computer. Although, unless you are working at a biomedical research institution, you shouldn’t worry too much. On the other hand, the discovery of this malware, using such ancient techniques, might show that there can be a lot of bad things happening undetected with your OS X and Mac computer.
Webcam access: Possibility to capture images, record video. Though further investigation of code is needed.
Capture screen: Capture what is happening on your screen and transferring images.
Remote control: It can remotely control your computer – simulate key presses, mouse clicks, cursor position and gather your network data – IP addresses, network names and port that it uses.
Conclusion
Quimitchin is one of the mysteries of early 2017 that surfaced in cyber security field. There are more things unknown than known regarding activities of this malware, creators, purpose and for how long it was being used undetected.
Posted in: 
