A new piece of Apple Mac malware was discovered recently but may have been running around the Mac universe for two years. The malware dubbed Fruitfly by Apple, is apparently a pretty simplistic piece of code. It can capture webcam images , screenshots, information about every device on the network and then tries to connect to each of the devices that it found.
The malware was discovered by an administrator who saw unexpected outbound traffic from his network. I am not sure how many admins would detect suspicious traffic coming from one computer.
The code uses programming functions that were popular prior to 2001 and uses a code library that was last updated in 1998.
There are also some other markers – a comment in the code – that indicates that, at least this version of the malware was released after OS X Yosemite was released in 2014 – but that means that it could have been infecting machines for more than two years.
Given this information, it is certainly possible that the code could be a decade old and updated as needed as Apple modified OS X.
Pure speculation is that the malware was only used in very targeted attacks, POSSIBLY by the Russians or Chinese, to steal US and European scientific research.
Malwarebytes now detects the software as OSX.Backdoor.Quimitchip.
As is often the case with malware these days, once the malware is installed, it downloads other modules from its command and control server. For example, it was detected downloading several Perl scripts – used to map the network and attempt to logon to other machines.
Apple has released an update that will protect against future infections. One article says that the Apple patch will detect currently infected machines but another one says future infections, so that part is not clear.
As a side note, the code also runs on Linux machines with the exception of one module which is a Mac binary, so even computers running Linux are not safe.
So, while Mac virus are still very rare, as Microsoft locks down Windows, hackers are branching out and looking for new opportunities. If it is true that this malware was used to steal scientific and biomedical research, it makes sense that it would be geared towards Apple and Linux computers.