TLP: GREEN

The following information is being provided by the FBI, with no

05 March 2018 guarantees or warranties, for potential use at the sole discretion of
recipients in order to protect against cyber threats. This data is
Alert Number provided to help cyber security professionals and system administrators
MC-000091-MW guard against the persistent malicious actions of cyber criminals.

WE NEED YOUR
HELP!
If you find any of
these indicators on
your networks, or
have related
information, please
contact
FBI CYWATCH
immediately.
Email:
cywatch@ic.fbi.gov
Phone:
1-855-292-3937
*Note: By reporting any
related information to FBI
CyWatch, you are assisting
in sharing information that
allows the FBI to track
malicious actors and
coordinate with private
industry and the United
States Government to
prevent future intrusions and
attacks.
This FLASH has been released TLP: GREEN The information in this
product is useful for the awareness of all participating organizations
within their sector or community, but should not be shared via publicly
accessible channels.
Updated Indicators Associated with
Fruitfly/Quimitchin Malware
Summary
This communication is intended to update information released in previous
FBI FLASH MC-000080-MW, released 27 March 2017.
The FBI is providing the following information with HIGH confidence:
The FBI obtained updated indicators of compromise related to the
Fruitfluy/Quimitchin1 malware based on targeting of an identified US
university in early January 2017. The malware was used to access user
information, log keystrokes to gather credentials, and pivot into other
systems and services.
Technical Details
The attack vector included the scanning and identification of externally facing
services, to include the Apple Filing Protocol (AFP, port 548), RDP or other
VNC, SSH (port 22), and Back to My Mac (BTMM), which would be targeted
with weak passwords or passwords derived from third party data breaches.
The following network indicators are attributed to all versions of the
Fruitfly/Quimitchin malware (best indicators):

1
According to an 18 January 2017 open source report from appleinsider.com, US business Apple identifies the malware as
“Fruitfly” and the Malwarebytes app identifies the code as “OSX.Backdoor.Quimitchin.”

TLP: GREEN
 TLP: GREEN

eidk.duckdns.org
h8cnq8.duckdns.org
hh4de2.duckdns.org
hlkmm2.duckdns.org
hnqi24.duckdns.org
fejose2.duckdns.org
fovdim2.duckdns.org
eidk.hopto.org
eutq.hopto.org
tmp1.hopto.org
tmp2.hopto.org
h8cnq8.hopto.org
hh4de2.hopto.org
hlkmm2.hopto.org
hnqi24.hopto.org
fejose2.hopto.org
fovdim2.hopto.org

The following Mac host based indicators are attributed to the

Fruitfly/Quimitchin malware:
1. ~/Library/LaunchAgents/com.client.client.plist
2. ~/Library/LaunchAgents/com.adobe.ARM.<16 random alphanumeric
characters>.plist
3. ~/.tmp
4. ~/.client
5. ~/fpsaud
6. ~/Library/Application Support/<16 random alphanumeric characters>
7. ~/.cr or ~/.cr2

Context for the above indicators:

1. Denotes persistence mechanism for version A
2. Denotes persistence mechanism for version B
3. Information staging directory
4. Trojan control script for version A
5. Trojan control script for some version B variants
6. Trojan control script for some version B variants
7. Webcam capturing component

The following Windows host based indicators are attributed to the

Fruitfly/Quimitchin malware family:

TLP: GREEN
 TLP: GREEN

Windows malware mimics the installation paths and executables for Sophos
antivirus.
 Path of %PROGRAMFILES%\Sophos Suite for NT\
 Custom (per infection) executable with ‘SAVCleanupService.exe’ or
‘SAVservice.exe’
 C:\a.exe
 C:\ab.exe
 C:\client.exe

Recommended Mitigations

While remediation will vary based on local environment, once the malware is
removed, the user credentials need to be changed. Additionally, credentials
of any service or website used on the system have likely been exposed and
those credentials should be changed as well. Those services had likely been
accessed as a result of the exposure, and a separate damage assessment
should be conducted per service. In enterprise environments, base images for
systems and common software installations need to be checked for re-
infection vectors.

This product is marked TLP:GREEN. Recipients may share TLP:GREEN

information with peers and partner organizations within their sector or
community, but not via publicly accessible channels. Information in this
category can be circulated widely within a particular community. TLP: GREEN
information may not be released outside of the community.

TLP: GREEN
 TLP: GREEN

Your Feedback on the Value of this Product Is Critical

Was this product of value to your organization? Was the content clear and concise?
Your comments are very important to us and can be submitted anonymously. Please
take a moment to complete the survey at the link below. Feedback should be specific to
your experience with our written products to enable the FBI to make quick and
continuous improvements to such products. Feedback may be submitted online here:
https://www.ic3.gov/PIFSurvey

Please note that this survey is for feedback on content and value only. Reporting of
technical information regarding FLASH reports must be submitted through FBI CYWATCH.

TLP: GREEN