Newly-discovered Mac malware runs ancient code

Researchers have discovered a rare piece of targeted Mac malware that has remained undetected for years despite using unsophisticated and ancient code.

Infosec firm Malwarebytes said it discovered the malware after an IT admin spotted unusual outgoing activity from a specific Mac computer.

The firm said the malware uses code that pre-dates Apple's OS X operating system - including the likes of SGGetChannelDeviceList and SGStartRecord - and also runs libjpeg code, which was last updated in 1998.

It contains only two files and uses a hidden script to communicate to its servers. The script can also hide the malware's icon from showing in the macOS dock by executing a secondary script and Java class.

The malware also includes Linux shell commands which indicate it is likely running on that operating system, Malwarebytes said. While the firm said it was yet to spot a Linux variant, it would come as no surprise if one was in operation.

The purpose of the malware appeared to be to take screenshots of Mac and Linux computers and gain access to the webcam, Malwarebytes said. The malware also collects information about each device connected to the same network as the target computer and connects to them.

Malwarebytes was unable to pinpoint the malware's exact creation date, but noted that it had gone through changes to work with OS X Yosemite, which makes it a least a year old.

The firm said the malware was "unlike anything [it's] seen before".

It appears to be specifically targeting biomedical research centres.

"The only reason I can think of that this malware hasn’t been spotted before now is that it is being used in very tightly targeted attacks, limiting its exposure," Malwarebytes' director of Mac offerings Thomas Reed wrote.

"There have been a number of stories over the past few years about Chinese and Russian hackers targeting and stealing US and European scientific research. Although there is no evidence at this point linking this malware to a specific group, the fact that it’s been seen specifically at biomedical research institutions certainly seems like it could be the result of exactly that kind of espionage."

Apple has quietly released an update for macOS to address the issue, dubbing the malware "Fruitfly".