New Mac malware: Fruitfly, or OSX.Backdoor.Quimitchin

Malwarebyte Labs has just reported newly-detected malware which can affect most versions of OS X / macOS, and probably dates back to before Yosemite. It appears to have been used very little, and mainly in targeted attacks, so is currently considered to be a low risk to the ordinary Mac user.

One of its distinctive traits is the presence of two files in the Home folder of an infected account: a hidden file named simply .client at the top level of the Home folder, and com.client.client.plist in ~/Library/LaunchAgents.

It behaves as a backdoor which appears mainly to spy on users by taking screenshots and webcam images, and is operated from a remote C&C server.

Malwarebytes has been updated to detect and deal with it. It is believed that Apple’s silent security updates of 18 January 2017 also detect it (probably in the MRT update), although as Apple does not reveal information about those updates, that is not certain. Apple has apparently named it Fruitfly, and Malwarebytes has chosen OSX.Backdoor.Quimitchin instead.

As it persists, it is likely that Objective-See’s tools will also pick it up.

Full details are at Malwarebyte Labs.