{
	"id": "ef6748ef-3d4c-442d-9ee6-66fedf124a13",
	"created_at": "2026-04-06T00:17:54.481163Z",
	"updated_at": "2026-04-10T03:22:10.064878Z",
	"deleted_at": null,
	"sha1_hash": "afca1f23d9e3242075be80b65a1fcb503fca8374",
	"title": "New Mac backdoor using antiquated code | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 136653,
	"plain_text": "New Mac backdoor using antiquated code | Malwarebytes Labs\r\nBy Thomas Reed\r\nPublished: 2017-01-17 · Archived: 2026-04-05 17:02:38 UTC\r\nThe first Mac malware of 2017 was brought to my attention by an IT admin, who spotted some strange outgoing\r\nnetwork traffic from a particular Mac. This led to the discovery of a piece of malware unlike anything I’ve seen\r\nbefore, which appears to have actually been in existence, undetected, for some time, and which seems to be\r\ntargeting biomedical research centers.\r\nThe malware was extremely simplistic on the surface, consisting of only two files:\r\n~/.client SHA256: ce07d208a2d89b4e0134f5282d9df580960d5c81412965a6d1a0786b27e7f044 ~/Library/Launch\r\nThe launch agent .plist file itself couldn’t have been much simpler, simply keeping the .client running at all times.\r\n KeepAlive Label com.client.client ProgramArguments /Users/xxxx/.client RunAtLoad N\r\nThe .client file was where things got really interesting. It took the form of a minified and obfuscated perl script.\r\nThe perl script, among other things, communicates with the following command and control (C\u0026C) servers:\r\n99.153.29.240 eidk.hopto.org\r\nThe latter is a domain name managed by the dynamic DNS service no-ip.com.\r\nThe script also includes some code for taking screen captures via shell commands. Interestingly, it has code to do\r\nthis both using the Mac “screencapture” command and the Linux “xwd” command. It also has code to get the\r\nsystem’s uptime, using the Mac “uptime” command or the Linux “cat /proc/uptime” command.\r\nThe most interesting part of the script can the found in the __DATA__ section at the end. Found there are a Mach-O binary, a second perl script and a Java class, which the script extracts, writes to the /tmp/ folder and executes. In\r\nthe case of the Java class file, it is run with apple.awt.UIElement set to true, which means that it does not show up\r\nin the Dock.\r\nThe binary itself seems primarily interested in screen captures and webcam access, but interestingly, it uses some\r\ntruly antique system calls for those purposes, such as:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/\r\nPage 1 of 3\n\nSGGetChannelDeviceList SGSetChannelDevice SGSetChannelDeviceInput SGInitialize SGSetDataRef SGNewChan\r\nThese are some truly ancient functions, as far as the tech world is concerned, dating back to pre-OS X days. In\r\naddition, the binary also includes the open source libjpeg code, which was last updated in 1998.\r\nThe Java class appears to be capable of receiving commands to do various tasks, which include yet another\r\nmethod of capturing the screen, getting the screen size and mouse cursor position, changing the mouse position,\r\nsimulating mouse clicks, and simulating key presses. This component appears to be intended to provide a kind of\r\nrudimentary remote control functionality.\r\nWe also observed the malware downloading a perl script, named “macsvc”, from the C\u0026C server. This script uses\r\nmDNS to build a map of all the other devices on the local network, giving information about each device\r\nincluding its IPv6 and IPv4 addresses, name on the network and the port that is in use. It also appears to be\r\nmaking connection attempts to devices it finds on the network.\r\nmacsvc SHA256:b556c04c768d57af104716386fe4f23b01aa9d707cbc60385895e2b4fc08c9b0\r\nAnother file downloaded from the C\u0026C server was named “afpscan”, and it seems to try to connect to other\r\ndevices on the network.\r\nafpscan SHA256:bbbf73741078d1e74ab7281189b13f13b50308cf03d3df34bc9f6a90065a4a55\r\nThe presence of Linux shell commands in the original script led us to try running this malware on a Linux\r\nmachine, where we found that – with the exception of the Mach-O binary – everything ran just fine. This suggests\r\nthat there may be a variant of this malware that is expressly designed to run on Linux, perhaps even with a Linux\r\nexecutable in place of the Mach-O executable. However, we have not found such a sample.\r\nWe were able to locate a couple Windows executable files on VirusTotal that communicate with the same C\u0026C\r\nserver. In addition, one contains strings that indicate that it uses the same libjpeg library from 1998 as the Mac\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/\r\nPage 2 of 3\n\nMach-O binary. Each of these samples were only ever submitted to VirusTotal once, in June and July of 2013, and\r\nare only detected by a few engines under generic names.\r\nSHA256:94cc470c0fdd60570e58682aa7619d665eb710e3407d1f9685b7b00bf26f9647 SHA256: 694b15d69264062e82d4\r\nThere are other indications that this malware has been circulating undetected for a long time. On one of the\r\ninfected Macs, the launch agent file had a creation date in January of 2015. That’s not strong evidence of the true\r\ncreation date, though, as those dates can easily be changed.\r\nFurther, there is a comment in the code in the macsvc file that indicates that a change was made for Yosemite\r\n(Mac OS X 10.10), which was released in October of 2014. This suggests that the malware has been around at\r\nleast some time prior to Yosemite’s release.\r\n if(/_(tcp|udp)S*s+(_S+)$/){ $s=\"$2._$1\"; } elsif(/icloud.com.s+(_[^.]+._(tcp|udp)).d+.members.btmm$\r\nAnother clue, of course, is the age of some of the code, which could potentially suggest that this malware goes\r\nback decades. However, we shouldn’t take the age of the code as too strong an indication of the age of the\r\nmalware. This could also signify that the hackers behind it really don’t know the Mac very well and were relying\r\non old documentation. It could also be that they’re using old system calls to avoid triggering any kind of\r\nbehavioral detections that might be expecting more recent code.\r\nIronically, despite the age and sophistication of this malware, it uses the same old unsophisticated technique for\r\npersistence that so many other pieces of Mac malware do: a hidden file and a launch agent. This makes it easy to\r\nspot, given any reason to look at the infected machine closely (such as unusual network traffic). It also makes it\r\neasy to detect and easy to remove.\r\nThe only reason I can think of that this malware hasn’t been spotted before now is that it is being used in very\r\ntightly targeted attacks, limiting its exposure. There have been a number of stories over the past few years about\r\nChinese and Russian hackers targeting and stealing US and European scientific research. Although there is no\r\nevidence at this point linking this malware to a specific group, the fact that it’s been seen specifically at\r\nbiomedical research institutions certainly seems like it could be the result of exactly that kind of espionage.\r\nMalwarebytes will detect this malware as OSX.Backdoor.Quimitchin. (Why the name? Because the quimitchin\r\nwere Aztec spies who would infiltrate other tribes. Given the “ancient” code, we thought the name\r\nfitting.) Apple calls this malware Fruitfly and has released an update that will be automatically downloaded\r\nbehind the scenes to protect against future infections.\r\nAbout the author\r\nHad a Mac before it was cool to have Macs. Self-trained Apple security expert. Amateur photographer.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/"
	],
	"report_names": [
		"new-mac-backdoor-using-antiquated-code"
	],
	"threat_actors": [],
	"ts_created_at": 1775434674,
	"ts_updated_at": 1775791330,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/afca1f23d9e3242075be80b65a1fcb503fca8374.pdf",
		"text": "https://archive.orkl.eu/afca1f23d9e3242075be80b65a1fcb503fca8374.txt",
		"img": "https://archive.orkl.eu/afca1f23d9e3242075be80b65a1fcb503fca8374.jpg"
	}
}