Security Affairs
Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Quimitchin, a Mac backdoor that includes antiquated code

Researchers at Malwarebytes have discovered the first Mac malware of 2017, dubbed Quimitchin, that was used against  biomedical research institutions. Security experts have spotted the first Mac malware of 2017, dubbed Quimitchin,  and it is considered a malicious code not particularly sophisticated and includes some antiquated code. According to the researchers from Malwarebytes, the code has […]

Quimitchin, a Mac backdoor that includes antiquated code

Researchers at Malwarebytes have discovered the first Mac malware of 2017, dubbed Quimitchin, that was used against  biomedical research institutions.

Security experts have spotted the first Mac malware of 2017, dubbed Quimitchin,  and it is considered a malicious code not particularly sophisticated and includes some antiquated code.

According to the researchers from Malwarebytes, the code has been in the wild for several years and was used in targeted attacks against biomedical research institutions.

The Quimitchin spyware was discovered by an IT admin who noticed an anomalous traffic from a certain Mac in his network.

The malicious code is composed of two only two files:

  • A .plist file that simply keeps the .client running at all times.
  • A .client file containing the malicious payload, a minified and obfuscated Perl script.

The main features implemented by the payload are the screen captures and webcam access.

“The script also includes some code for taking screen captures via shell commands. Interestingly, it has code to do this both using the Mac “screencapture” command and the Linux “xwd” command. It also has code to get the system’s uptime, using the Mac “uptime” command or the Linux “cat /proc/uptime” command.” reads the analysis published by MalwareBytes.

The ability of the malware to exfiltrate data from anything it can access, and the nature of the targets, biomedical facilities, suggest that threat actors behind the attacks were conducting a cyber espionage campaign.

Quimitchin

The Quimitchin uses antique system calls, and the analysis of its code revealed the use of the open source libjpeg code, which was last updated in 1998.

“These are some truly ancient functions, as far as the tech world is concerned, dating back to pre-OS X days. In addition, the binary also includes the open source libjpeg code, which was last updated in 1998.” continues the analysis.

“The Java class appears to be capable of receiving commands to do various tasks, which include yet another method of capturing the screen, getting the screen size and mouse cursor position, changing the mouse position, simulating mouse clicks, and simulating key presses. This component appears to be intended to provide a kind of rudimentary remote control functionality.”

Experts from Malwarebytes suspect that there is also a specific Linux variant in the wild because they have found Linux shell commands in the code of the scripts.

The security firm also found two Windows executable file that communicated with the same C&C server, in one case the Windows code used the same libjpeg library.

Despite the Quimitchin is not so complex, it continues to properly work avoiding the detection, something similar to the EyePyramid code.

Why a code like Quimitchin wasn’t detected for so long time?

Expert believe that is was using in a limited number of targeted attack so he was not spotted before.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Quimitchin spyware, cyber espionage)